Transferring Personal Data Outside of the EEA

|
|
PUBLISHED on
22
July
2022

This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA.  One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard contractual clauses (SCCs).

Article 28 mandates a number of requirements that must be placed on data processors, by data controllers, via a contract.  The question is, are the SCCs sufficient to meet these requirements?  Whilst the SCCs are pretty comprehensive, they were drafted before the GDPR came into effect and, as a result, not all of the requirements of Article 28 are addressed by the SCCs.

So, what can you do?

The challenge with the SCCs is that they must be used verbatim.  Any change to the wording, even if it has no material effect on the interpretation, means that the parties cannot claim to be using the SCCs.  However, it is permissible to add clauses or incorporate the SCCs in a broader contract, ’provided nothing in the other contract or additional clauses alters the effect of any of the model clauses’.

So, if you are outsourcing data processing to processors outside the EEA and transferring PII, then you should supplement, and not solely rely on, the SCCs.  The specific gaps between Article 28 and the SCCs are, broadly speaking, that the SCCs (and Appendix where applicable) do not:

  • Address the duration of processing
  • Contain a requirement for the data importer to commit to confidentiality
  • Contain a requirement to support the response to a data subject request
  • Comply with the timing or cooperation requirements relating to a data breach
  • Address the processor participating in a data protection impact assessment (DPIA)
  • Address all audit requirements Address onward transfer of data outside of the EEA.

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
6/3/2025
Are you Processing Special Category Personal Data Without Knowing It?

URM’s blog breaks down the GDPR requirements around special category personal data and how organisations can avoid processing this data inadvertently.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
28/1/2025
How to Build Customer Trust and Loyalty Through Data Protection Best Practice

URM’s blog offers key advice and guidance on how to ensure your data processing practices facilitate not only regulatory compliance, but also customer trust.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
5/6/2024
Data Protection Considerations for Data Analytics

URM’s blog explores the data protection considerations for data analytics tools, and how to reap their many benefits while still maintaining GDPR compliance.

Read more
We engaged URM to help us complete our annual Cyber Essentials Plus certification. They have a great infrastructure and skillset to support the Cyber Essentials program and made the whole process painless for us. It’s a great way for businesses to give themselves a good security health check and in doing so spot any weak points in their IT infrastructure. URM are then perfectly placed to advise on how to fill those gaps for a robust IT / IS policy structure. In summary it’s a great way to show your customers your commitment to cyber security and ultimately keeping their data safe.
Sales engagement platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.