GDPR Basics: Standard Contractual Clauses (SCCs)

Standard Contractual Clauses (SCCs) are a legal mechanism used to transfer personal data from the European Union (EU) to countries outside of the EU, while still adhering to the EU's strict data protection laws, specifically the General Data Protection Regulation (GDPR).

Under the GDPR, personal data can only be transferred to a third country (i.e., a country outside of the EU) if the country provides an adequate level of protection for the personal data being transferred. In the event that a third country does not provide an adequate level of protection, organizations can still transfer personal data to the third country if they put in place appropriate safeguards to protect the personal data, such as SCCs.

SCCs are sets of standardized clauses that have been approved by the European Commission as providing an adequate level of protection for personal data. These clauses can be included in a contract between two organizations, one based in the EU and the other based in a third country, to ensure that the personal data being transferred is protected in accordance with the GDPR.

There are two types of SCCs: SCCs for the transfer of personal data from controllers to processors, and SCCs for the transfer of personal data from controllers to controllers.

SCCs for the transfer of personal data from controllers to processors outline the responsibilities of the processor in relation to the personal data being transferred. The processor must process the personal data in accordance with the instructions of the controller, and must take appropriate measures to protect the personal data.

SCCs for the transfer of personal data from controllers to controllers outline the responsibilities of both controllers in relation to the personal data being transferred. Both controllers must ensure that the personal data is processed in accordance with the GDPR, and must take appropriate measures to protect the personal data.

It is important to note that SCCs are not the only mechanism available for transferring personal data from the EU to a third country. Organizations can also transfer personal data using other appropriate safeguards, such as binding corporate rules or approved codes of conduct.

In conclusion, SCCs are a useful tool for organizations looking to transfer personal data from the EU to a third country, while still adhering to the GDPR's strict data protection laws. By including SCCs in their contracts, organizations can ensure that the personal data being transferred is protected in accordance with the GDPR.

An example of the implementation of Standard Contractual Clauses (SCCs) might be as follows:

1. An EU-based company, Company A, plans to transfer personal data to a third country-based company, Company B.
2. Company A and Company B enter into a contract for the transfer of personal data.
3. As part of the contract, Company A and Company B include SCCs to ensure that the personal data being transferred is protected in accordance with the General Data Protection Regulation (GDPR).
4. The SCCs outline the responsibilities of both Company A and Company B in relation to the personal data being transferred. For example, the SCCs may specify that:

• Company A is the controller of the personal data and Company B is the processor.
• Company B must only process the personal data in accordance with the instructions of Company A.
• Company B must take appropriate technical and organizational measures to protect the personal data.
• Both companies must ensure that the personal data is processed in accordance with the GDPR.

5. Company A and Company B both agree to the terms of the SCCs and sign the contract.
6. Company A begins transferring personal data to Company B, confident that the personal data is protected in accordance with the GDPR thanks to the inclusion of SCCs in the contract.