Data clauses everywhere!

The EU Commission has finally adopted new Standard Contractual Clauses for the transfer of personal data outside the EEA. Well, it’s about time! The old ones were drafted for the old Data Protection Directive which became defunct in 2018 when GDPR became enforceable.

The old SCCs were separate, free-standing arrangements for different types of data transfer. The new SCCs address data transfers in a modular format for a broader range of transfers: (i) Controller-to-Controller, (ii) Controller-to-Processor, (iii) Processor-to-(Sub-)Processor and (iv) Processor-to-Controller. While the new SCCs seek to address parts of the Schrems II decision, businesses should still conduct an impact assessment of the transfer rather than blindly rely upon the SCCs.

The new clauses are already in force. The old ones can be used until 27 September 2021 and transfers under the old SCCs can continue until 27 December 2022.

How does this impact the UK?

First, the EU Commission declared that the UK adequately protects personal data. So transfers from the EEA to the UK may occur without the need to enter into any SCCs.

Second, data transfers from the UK to countries outside the EEA must also provide adequate protection for personal data. One way of doing this is to use SCCs of course. But the Commission’s SCCs do not apply to these transfers. Instead, the ICO’s SCCs will apply. Except the ICO hasn’t published any yet (although they’re likely to mirror the Commission’s clauses in any event).

So the EU Commission took years to update its own SCCs. And the ICO hasn’t published theirs yet. Slow hand claps all round.

In the meantime, I recommend you use the Commission’s new SCCs for data transfers outside the EEA but adjust them as required to refer to the UK Data Protection Act. If you know what you’re doing, fine. Otherwise, contact me for help: +44 (0)20 7467 8742 or

What's your view? Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.