Transfers of personal data to a third country
Standard contractual clauses
Standard contractual clauses adopted by the European Commission in 2021 can be used by companies as an additional safeguard when transferring personal data to a third country.
The Principle of Data Accuracy according to GDPR
If a company uses standard contractual clauses (SCC), they do not need to obtain a specific permission from the national data protection authority for the transfer. Please note, however, that the European Commission may update the standard contractual clauses, which is important to keep in mind, so that old invalid versions are not used by mistake.
Contracts with standard contractual clauses
If a company enters into an agreement with an operator in a third country, and includes standard contractual clauses adopted by the European Commission, transfers to the operator in that third country are usually allowed.
However, the company may need to take more protective measures in some cases. It is also important to keep in mind that it is not allowed to change the clauses, but it is possible to add other clauses that are business related. Please note, however, that any additions must not contravene any of the standard contractual clauses.
Content of standard contractual clauses adopted by the European Commission
Obligations of companies (controller/processor) wishing to transfer personal data to third countries.
- Obligations of the company (controller/processor) receiving the personal data.
- Regulation of the rights of data subjects.
- Rules on how to resolve any dispute arising from the agreement.
The standard contractual clauses contain provisions that apply to different types of situations. The structure is divided into different “modules”. The standard contractual clauses consist of provisions linked to transfers of personal data within the following four modules:
- Module 1: a controller in the EU to another controller in a third country
- Module 2: a controller within the EU to a processor in a third country
- Module 3: a processor within the EU to another processor in a third country
- Module 4: a processor within the EU to a controller in a third country
When a company is going to use the standard contractual clauses, it is important to use the right modules and the right provisions that fit the specific situation. In addition, more than two parties may enter into the agreement between each other.
Here you can read the latest versions of the standard contractual clauses adopted by the European Commission in 2021.
Conclude a Data Processing Agreement (DPA)
When an operator processes personal data on behalf of a controller, the processing takes place in the capacity of a processor. In such cases, the parties shall enter into a data processing agreement with each other. In addition, that contract must be drawn up in writing in order to be valid under Article 28 of the GDPR.
However, the parties do not need to enter into a separate data processing agreement, if it concerns a transfer to a third country where the companies have taken additional safeguards that include the standard contractual clauses. This is because the latest versions of the standard contractual clauses have included provisions from Article 28 of the GDPR directly in the relevant modules contained in the standard contractual clauses.
The European Commission has created a question-and-answer document on the standard contractual clauses, which contains good information.
More about Transfers of personal data to a third country
Codes of conduct or certification mechanisms
A company that is a controller or processor can adhere to an approved code of conduct when transferring personal data. However, data protection authorities or the European Data Protection Board do not draw up codes of conduct. Instead, it is common for organisations representing a specific industry to draw up a code of conduct, which benefits both small and large companies.