New Standard Contractual Clauses Required for EU Personal Data Transfers

Personal data cannot legally be transferred outside the EU/EEA (European Economic Area), or indeed the UK, without specific legal safeguards in place, unless the country in question has been deemed to have an adequate level of data protection (for example Canada or Switzerland). The most common safeguard is the use of Standard Contractual Clauses (‘SCCs’), a template set of clauses approved by the EU Commission, that can be annexed to cross border contracts.

The SCCs template that allows companies to transfer personal data outside of the EU/EEA has recently been revised by the EU Commission. The new versions of the SCCs must be used from 27 September 2021 for all new contracts that are executed, otherwise transfers of personal data from the EU or EEA abroad will be illegal after this date. In addition, all use of the old SCCs must cease by 27 December 2022.

The new SCCs include many of the same features as the previous versions, but there are some differences (please see our previous blog on this topic of 11 June 2021). It is important to note that before implementing the SCCs, companies are now also required to carry out a ‘Data Transfer Impact Assessment’ to ensure an acceptable level of protection can be expected in the country to which the personal data is being transferred.

Simultaneously, the UK, which has utilised the ‘old’ EU-approved SCCs until now, is currently in the process of reviewing its own model transfer contract for adoption in place of the EU version going forwards. Known as the International Data Transfer Agreement, it is likely to be implemented towards the end of this year.

Therefore, companies with both a UK and EU/EEA presence should consider the documentation they have in place for foreign transfers of personal data and look to update (or renegotiate) contracts already in place where necessary.

For advice and support in relation to the above, please get in touch.

Madeleine Rhodes     email: