Transferring Personal Data Outside of the EEA

|
|
|
PUBLISHED on
22
July
2022
SUMMARY

This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA.  One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard contractual clauses (SCCs).

Article 28 mandates a number of requirements that must be placed on data processors, by data controllers, via a contract.  The question is, are the SCCs sufficient to meet these requirements?  Whilst the SCCs are pretty comprehensive, they were drafted before the GDPR came into effect and, as a result, not all of the requirements of Article 28 are addressed by the SCCs.

So, what can you do?

The challenge with the SCCs is that they must be used verbatim.  Any change to the wording, even if it has no material effect on the interpretation, means that the parties cannot claim to be using the SCCs.  However, it is permissible to add clauses or incorporate the SCCs in a broader contract, ’provided nothing in the other contract or additional clauses alters the effect of any of the model clauses’.

So, if you are outsourcing data processing to processors outside the EEA and transferring PII, then you should supplement, and not solely rely on, the SCCs.  The specific gaps between Article 28 and the SCCs are, broadly speaking, that the SCCs (and Appendix where applicable) do not:

  • Address the duration of processing
  • Contain a requirement for the data importer to commit to confidentiality
  • Contain a requirement to support the response to a data subject request
  • Comply with the timing or cooperation requirements relating to a data breach
  • Address the processor participating in a data protection impact assessment (DPIA)
  • Address all audit requirements Address onward transfer of data outside of the EEA.

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
10/1/2025
STAIRs: A New Standard for Social Housing Providers in England

URM’s blog provides a comprehensive breakdown of STAIRs, an upcoming information access standard for private sector social housing providers.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
5/10/2022
Avoiding Email Data Security Breaches

For all of us, email can be both a blessing and a curse. On one hand you have the speed and convenience of communication....

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
13/6/2022
UK International Data Transfer Agreement

DTA and the UK Addendum to the current European Commission’s SCCs re the next steps in providing a transfer tool for complying with the UK GDPR.

Read more
Our experience with URM was all around great and seamless, starting with our account manager who organised everything and was very accommodating, working around our schedule and fitting us in as soon as we wanted. This continued with our assessor for the CE questionnaire part; he was very helpful, taking the time to explain some aspects that were a bit unclear to me and guiding me the whole way through. The same was true of our assessor for the CE+, who took the time to answer any questions I had beforehand and guide me through elements that I was unfamiliar with. During the assessment, he was very helpful, made the process very easy and guided me through some points that needed some additional set up in order to ensure a successful process. This was our first year working with URM and I am sure we’ll be talking again next year. Thank you for all your help!
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.