UK General Data Protection Regulation (UK GDPR)

Standard Contractual Clauses (SSCs) for data transfer

Guide

Standard Contractual Clauses (SCCs) are one of the key safeguarding mechanisms to ensure the lawful and secure transfer of personal data from the European Economic Area (EEA) to 'third' countries. They make the data transfer between two businesses subject to a legally binding agreement guaranteeing that the rights of individuals whose personal data is being transferred will be protected.

New Standard Contractual Clauses for restricted transfers from the EU

In June 2021, the European Commission (EC) adopted new SCCs which can be used to provide safeguards for restricted transfers of personal data from the EU.

From 27 September 2021, the new SCCs can be used for new data transfers from the EEA. For existing transfers, businesses have until 27 December 2022 to replace old SCCs with the new SCCs. 

Restricted data transfers from the UK

The new EU SCCs are not directly applicable in the UK. The UK Information Commissioner's Office (ICO) is planning to introduce a UK-specific equivalent to the new EU SCCs. In August 2021, the ICO has launched a consultation on proposed new mechanisms for secure transfers from the UK:

  • International Data Transfer Agreement (IDTA) – this will be a UK equivalent to the EU's SCCs and is most likely to be used for transfers of personal data to a single country
  • UK Addendum to the EU SCCs – this can be appended to the recently approved EU SCCs and is most likely to be used for transfers involving EU data

These mechanisms are currently being consulted on and are not likely to come into effect until late 2021 or early 2022.

Use of the old SCCs for restricted transfers from the UK

Until the new UK-specific transfer mechanisms are available, UK businesses currently relying on SCCs can continue to use the old EU SCCs, or forms of the old EU SCCs changed in line with guidance from the ICO, to transfer data from the UK.

The ICO has created UK versions of these SSCs templates with suggested UK changes made for you:

If you prefer, you can use the ICO's contract builder to automatically generate the contract. You will need detailed information about the purposes, scope and context of the processing to hand:

You can also use the ICO's interactive tool to help you decide if you need to use standard contractual clauses for such transfers.

SCCs are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies and are receiving the data from within that group, you may not need SCCs if your group has approved Binding Corporate Rules (BCRs) in place. See other rules on restricted transfers of personal data.

Schrems II judgment

Schrems II judgment invalidated the EU-US Privacy Shield due to shortcomings in the US data protection laws. The judgment now requires companies to verify the privacy protection in the recipient country in order to use the SCCs.

This means, if you are making a restricted transfer from the UK using the SCCs, you must assess whether those SCCs provide protection that is 'essentially equivalent' to the protections in the UK data protection regime and, if necessary, put in place additional measures.

The European Data Protection Board (EDPB) have published recommendations on measures that supplement transfer tools, including the necessary risk assessment. The ICO intends to issue its own guidance on this topic in due course.