UK General Data Protection Regulation (UK GDPR)

Standard Contractual Clauses (SSCs) for data transfer

Guide

Standard Contractual Clauses (SCCs) are one of the key safeguarding mechanisms to ensure the lawful and secure transfer of personal data from within the European Economic Area (EEA) to third countries, including the UK.

The SCCs make the data transfer between two businesses (data exporter and data receiver) subject to a legally-binding agreement guaranteeing that the rights of individuals' whose personal data is being transferred will be protected.

SCCs are one of the most likely safeguards to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies and are receiving the data from within that group, you may not need SCCs if your group has approved Binding Corporate Rules (BCRs) in place. See other rules on restricted transfers of personal data.

SCCs for new restricted transfer from the UK

The Information Commissioner's Office (ICO) has developed an interactive tool to help you decide if you need to use standard contractual clauses for transfers from the EEA to the UK.

If you need SCCs, you can continue to use the current EU SCCs for restricted transfers from the UK. You may need to make changes to these to amend references to regulations or supervisory authority but, otherwise, you must not make any changes unless it is to add protections or more clauses on business-related issues.

The ICO has created UK versions of these SSCs templates with suggested UK changes made for you:

If you prefer, you can use their contract builder to automatically generate the contract. You will need detailed information about the purposes, scope and context of the processing to hand:

Schrems II ruling

If you are making a restricted transfer from the UK using SCCs, you must still carry out due diligence in accordance with the Schrems II ruling. The ruling requires you to make an assessment as to whether those SCCs provide protection which is 'essentially equivalent' to the protections in the UK data protection regime, and if necessary put in place additional measures.

The European Data Protection Board (EDPB) have published recommendations on measures that supplement transfer tools, including the necessary risk assessment. The ICO intends to issue its own guidance on this topic in due course.

SCCs and existing data transfers

After 1 January 2021, you can continue to rely on existing SCCs which you have in place for restricted transfers from the UK. In view of the Schrems II ruling, you should review whether they provide sufficient protection for data subjects and, if necessary, take additional measures.

Future changes to SCCs

The ICO intends to consult on and publish UK SCCs during 2021.

Transitional arrangements for SCCs will be kept under review and, at some point, it may be that the EU SCCs will cease to be valid for new and/or existing restricted transfers from the UK. The ICO will provide more information about this when this situation arises.

This guide does not constitute legal advice and is provided for general information purposes only.