Under the GDPR (General Data Protection Regulation), organisations that send personal data to a country outside the EU that hasn’t been recognised as providing an adequate level of data protection need to use an appropriate safeguard mechanism.
The two most appropriate mechanisms are SCCs (standard contractual clauses) and BCRs (binding corporate rules).
The latter applies strictly to international personal data transfers within multinational companies, meaning most organisations will be required to use SCCs.
What are standard contractual clauses?
SCCs are legal contracts that contain rights and requirements for the data exporter, data importer and data subjects.
The European Commission has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EEA, and one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EEA.
When should you use standard contractual clauses?
SCCs are suitable when organisations are conducting straightforward data transfers with organisations outside the EU and which don’t have an adequacy decision.
That’s because SCCs only apply to the data processing activities set out in writing, meaning new contracts have to be drafted every time personal data processing activities change.
As such, organisations that conduct ongoing or complex data transfers could soon be tied up with hundreds of SCCs. In these circumstances, BCRs are more suitable.
You should also note that, in June 2021, the EU granted an adequacy decision to the UK, meaning data can flow freely in and out of the EU without additional safeguards such as SCCs or BCRs.
GDPR compliance support with GRCI Law
Are you looking for help meeting your GDPR compliance requirements? If so, you might consider our Privacy as a Service solution.
Led by a team of experienced data protection officers, lawyers, barristers, and information and cyber security experts, we’ll work with you to find a tailored solution that suits your needs.
This includes help with your DPO requirements, breach notification processes and data privacy management, and support completing DSARs.