Understanding Standard Contractual Clauses (SCCs): A Guide for Businesses

Although the transfer of personal information cross-border has become increasingly common; the rise in the enactment of data protection laws has seen many countries impose restrictions on transferring data outside their jurisdictions. Navigating the legal requirements for data transfer is essential to ensure compliance with applicable laws, protect individuals’ personal information, and respect their privacy rights. One important tool that can facilitate the lawful transfer of data is the use of Standard Contractual Clauses (SCCs).

What are Standard Contractual Clauses?

Standard Contractual Clauses are standardized legal provisions that provide a framework for transferring personal data outside of a jurisdiction. The European Commission describes them as “standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations.”

Essentially, SCCs establish clear obligations for both the transferring and receiving parties. It sets out the terms for the data transfer and processing, for example, the governing laws, the rights of data subjects, termination, and liability.

Where Can SCCs Be Used?

The list of countries that allow for the use of SCCs is steadily increasing. Currently, SCCs are a viable mechanism for transferring data in jurisdictions such as the European Union (EU), the United Kingdom (UK), China, Turkey, and Saudi Arabia. Additionally, some regional organizations, such as the Association of Southeast Asian Nations (ASEAN) and the Ibero-American Data Protection Network, provide model contractual clauses for their members. This growing acceptance reflects a global shift towards standardized data protection measures.

Why use Standard Contractual Clauses?

Ready-made solution

SCCs provide a pre-established legal framework, making it easy for organizations to implement them and ensure compliance with data protection laws.

No prior authorization required

Utilizing SCCs does not require prior approval from Data Protection Authorities, which can help simplify the process of transferring data.

Additional safeguards

Many jurisdictions allow the inclusion of clauses that provide additional data protection safeguards. This flexibility enables businesses to customize their agreements to meet specific contractual needs while still adhering to the standardized provisions.

Cost-effective

Implementing SCCs can be more economical than negotiating individual legal agreements for each data transfer, helping organizations manage their costs effectively.

Consistent protection

SCCs ensure consistent data protection across countries, maintaining a uniform standard of security for an individual’s data everywhere.

Common requirements in Standard Contractual Clauses

Purpose limitation

SCCs require that data importers only process received data for the specified purposes outlined in the agreement. Organizations must clearly define the intended use of the data and ensure that it is not used for any other additional purposes.

Data minimization

SCCs stipulate that data transfers must be limited to the minimum amount necessary to fulfill the specified purpose thereby minimizing the risk of unnecessary data exposure.

Data subject rights

Under SCCs, data subjects are granted rights in relation to their personal data. While the specific rights may vary slightly depending on jurisdiction, they typically include:

• The right to access their data to know what information is held about them.
• The right to be informed about how their data is being processed and for what purposes.
• The right to restrict or limit the processing of their data under certain circumstances.
• The right to correct inaccurate data or to update incomplete data.
• The right to request the deletion of their personal data.
• The right to object to the processing of their data for marketing purposes.

Transfer risk assessments/impact assessments

When using SCCs for cross-border data transfers, organizations must conduct transfer risk assessments to identify and evaluate the risks involved in transferring personal data outside a jurisdiction.These assessments are to take into account the specific circumstances of the transfer e.g. the categories and format of the data, the type of recipient, and the relevant laws and practices.

Breach response

SCCs usually require that organizations pause processing if there is a breach of contract or inadequate safeguards. Processing can recommence if additional safeguards are put in place or if the breach is remedied.

Providing data subjects with a copy of the SCC

Data subjects have the right to request and obtain a copy of the SCCs, and organizations are required to comply with these requests.

Some key differences in Standard Contractual Clauses

Structure

Some jurisdictions, like the EU and Saudi Arabia, take a modular approach to SCCs, having separated the requirements for controller-to-controller transfers, controller-to-processor transfers, processor-to-controller transfers, and processor-to-processor transfers, while others take a one-size-fits-all approach.

Who can rely on the SCCs?

Unlike other jurisdictions where there are no restrictions on the businesses that can use SCCs, China only permits personal information processors who meet the following criteria to rely on Standard Contractual Clauses:

• if they are a non-critical information infrastructure operators;
• if processing personal information of less than 1 million people, the cumulative number of personal information provided to overseas parties since January 1 of the previous year is less than 100,000; and
• the cumulative number of sensitive personal information provided to overseas parties since January 1 of the previous year is less than 10,000.

Filing of SCC

China requires that personal data processors must register with the local cybersecurity department within 10 days of the effective date of the standard contract, and submit the standard contract and personal information impact assessment for filing.

Signatures

Although signatures are typically required to execute SCCs, the UK Addendum to the EU Standard Contractual Clauses allows for the option of not including signatures when executing the agreement. This is because the UK Addendum can be executed through any other legal binding means.

Challenges of relying on SCCs

Changes and updates

As with any regulatory framework, Standard Contractual Clauses are subject to updates and revisions. Organizations using SCCs as their transfer mechanisms must ensure that the contracts reflect the latest requirements. This is particularly challenging especially for huge organizations with lots of legacy contracts as updating these agreements requires careful review with all parties involved.

Transfer impact assessments (TIAs)

Organizations that export personal data are required to conduct a comprehensive Transfer Risk/Impact Assessment before executing any SCCs. This assessment evaluates the safeguards in place in the country where the data will be processed, ensuring that they provide a level of protection that is at least comparable to that of the transferring country. Complying with this can be time-consuming and may require additional resources and expertise.

Standard Contractual Clauses and other transfer mechanisms

Many organizations utilize multiple data transfer mechanisms depending on their business needs. SCCs may be used alongside them for a more robust approach.

Binding Corporate Rules (BCRs)

Binding Corporate Rules (BCRs) provide a framework for organizations operating in multiple jurisdictions to transfer personal data within their corporate groups. In the EU, BCRs must be approved by the relevant data protection authority, and the approval process is estimated to take, on average, 18 – 24 months.

Due to their narrow application, organizations relying on BCRs will also need an alternative mechanism for data transfers, either before their BCRs are approved or for transfers outside their corporate groups. SCCs can help fill these gaps.

Adequacy decisions

Organizations may transfer personal data from their home country to a third country if the relevant data protection authority has determined that the third country has adequate data protection measures. However, adequacy decisions are subject to review and are revocable.

For example, the EU invalidated the US Privacy Shield in 2020, leaving organizations with uncertainty about EU-US data transfers. (The EU is also currently reviewing the UK’s adequacy decision, which expires in June 2025, to determine whether it should be extended.) While the loss of adequacy is not common, SCCs can be used as a supplemental measure if it occurs.

Data transfer derogations

Most data protection laws provide for scenarios where organizations can transfer personal data without relying on a transfer mechanism. For example, if it is necessary to protect an individual’s vital interest. SCCs can be used where these scenarios do not apply.

Certifications

Leveraging SCCs alongside certifications is a useful approach to international data transfers. This strategy not only ensures compliance with legal and regulatory standards but also allows organizations to demonstrate their commitment to protecting data and maintaining ongoing compliance.

Certifications can also be a viable, cost-effective alternative to SCCs. Organizations that participate in the APEC Cross-Border Privacy Rules (CBPR) System and APEC Privacy Recognition for Processors (PRP) System or self-certify under the EU-US Data Privacy Framework (DPF) can build on the work they have already done under these frameworks to demonstrate compliance with data protection requirements.

The Global CBPR Forum is also expected to be operational next year, providing an additional certification mechanism. Participation in these frameworks can help cover a wide range of data transfer obligations in Europe, the APAC region, and internationally.