Standard contractual clauses for controllers to

controllers
This template contract contains the standard contractual clauses which have
been adopted by the European Commission, as an appropriate safeguard to
comply with the GDPR restricted transfer rules.

There are two different sets of standard contractual clauses. Which set to use
will depend on the nature of the restricted transfer: controller to controller or
controller to processor.

If the UK is exiting the EU without a deal, and you are not sure which set of
standard contractual clauses to use if, you should work through our interactive
guidance tool: do I need to use standard contractual clauses for transfers from
the EEA to the UK?

How do I complete the clauses?

There are different parts, and you must follow these instructions:

 Areas highlighted pink require you to enter information, which includes areas
for both organisations to sign the contract.
 You must use the standard contractual clauses as they are, without altering
those clauses and including all of them. In this document the clauses which
must not be amended have been locked so you cannot make any changes to
the wording. If you make any changes to those clauses then this contract will
not act as an appropriate safeguard to permit the restricted transfer under
the GDPR rules.
All the information you need for your transfer to be compliant with the GDPR
rules on restricted transfers is included within the boxes highlighted in pink
and the locked clauses.
 You may add additional clauses. Some optional clauses for you to consider
have been included in this document, highlighted in orange. You may add or
amend these clauses if you think they are appropriate. If you add any
clauses, you must make sure that:
o they are only about business related issues only and do not alter the
effect of the standard contractual clauses. For example, commercial
issues about the handling of the data, or wider services which the

1
 receiver is offering in relation to the data. If you want to add more
than one or two clauses, consider whether to have a separate contract;
o they do not overlap with or contradict the standard contractual
clauses;
o they do not reduce the level of protection for the personal data under
the standard contractual clauses; and
o they do not reduce the rights of data subjects, or make it any more
difficult for the data subjects to exercise their rights.
 To help you completing the Annexes, we have provided checklists. These are
just suggestions. You do not need to use the checklists at all. You can also
amend the contents of any category, as you consider best reflects the
international transfer of personal data.

Signing the agreement

Arrange for the sender (the data exporter) and for the receiver (the data
importer) to sign all three boxes, highlighted in pink where their signature is
required.

There are different ways to sign agreements. These are just suggestions of how
you might arrange for the standard contractual clauses to be signed.

 If the sender and receiver are both present, both can sign two copies. Once
both have signed, you should add the date in the box beneath the
signatures. The standard contractual clauses are now a binding contract.
Each party keeps one copy for its records.
 One party (it doesn’t matter which) signs two copies. It posts them to the
other party. The other party signs the two copies. Once both have signed
then you should enter the date in the box beneath the signatures on each
copy. The standard contractual clauses are now a binding contract. One copy
is posted back to the first party for its records.
 One party (it doesn’t matter which party) signs one copy. It scans the signed
version and emails it to the other party. The other party signs the version
containing the scanned signatures. Once both have signed, it can be dated in
the box below the signatures. The standard contractual clauses are now a
binding contract. A scanned version can be shared with the other party for its
records.

You do not need to have an original signed copy of the standard contractual
clauses to comply with the GDPR rules on restricted transfers. A scanned signed
version of the complete contract is sufficient evidence for our purposes.

2
The standard contractual clauses for international
transfers from controller to controller
Non-legally binding guidance

This column does not form

part of the standard
contractual clauses, and is
not legally binding on either
party

The standard contractual clauses

still refer to the Data Protection
Directive 95/46/EC. They are still
valid, until the EU Commission
provides a new GDPR version and
withdraws its approval of this
version.

You must not make any

changes to the standard
contractual clauses to change
references from the Directive
to the GDPR.

In any case, there is a provision

in the GDPR which means that
references to the Directive in
these standard contractual
clauses are read as references to
the GDPR.

Parties

Name of the data Click here to enter text. This is the sender of the
exporting restricted transfer of personal
organisation: data (referred to as the
exporter). Insert the full legal
name:
• If a sole trader, his/her full
name.
• If a company or limited
liability partnership – as
formally registered.
• If a partnership as set out in
the Partnership Deed.
• If an unincorporated
association, check the
establishing document, as to
who should enter into this
contract.
 Non-legally binding guidance

Address and Click here to enter text. This is the contact address for
country of the exporter.
establishment
Country: Click here to enter text. It may be the registered address
but does not need to be.

You must include the country.

Telephone Click here to enter text. This can be the exporter’s

general contact telephone
number.

Fax Click here to enter text. This can be the exporter’s

general contact fax number.

Leave this blank if you do not

have a fax.

Email Click here to enter text. This can be the exporter’s

general contact email address.

Other Click here to enter text. For UK companies and limited

information liability partnerships it is helpful
needed to to include the following:
identify the
A company/limited liability
organisation
partnership (delete as
appropriate) registered in
England and
Wales/Scotland/Northern Ireland
(delete as appropriate).

Company number: insert

number.

For companies outside the UK, if

possible it is helpful to include
the registration number and
company of incorporation.

A company number is useful as it

can help identify a company even
if it has changed its name and
address.

(the data exporter”)

And

Name of the Click here to enter text. This is the receiver of the
data importing restricted transfer of personal
organisation: data (referred to as the
importer). Insert the full legal
name:

• If a sole trader, his/her full

name.

• If a company or limited
 Non-legally binding guidance

liability partnership – as
formally registered.

• If a partnership as set out in

Partnership Deed.

• If an unincorporated
association, check the
establishing document,
as to who should enter
into this contract.
Address and Click here to enter text. This is the contact address for
Country of the importer.
establishment It may be the registered address
Country: Click here to enter text.
but does not need to be.

You must include the country.

Telephone Click here to enter text. This can be the importer’s
general contact telephone
number.
Fax Click here to enter text. This can be the importer’s
general contact fax number.

Leave this blank if you do not

have a fax.
Email Click here to enter text. This can be the importer’s
general contact email address.
Other Click here to enter text. For UK companies and limited
information liability partnerships it is helpful
needed to to include the following:
identify the
organisation A company/limited liability
partnership (delete as
appropriate) registered in
England and
Wales/Scotland/Northern Ireland
(delete as appropriate).

Company number: insert

number.

For companies outside the UK, if

possible it is helpful to include
the registration number and
country of incorporation.

A company number is useful as it

can help identify a company even
if it has changed its name and
address.
(the data importer”)
Clause 1. For the purposes of the Clauses: As a general point, the term
Definitions "third country" means a country
 Non-legally binding guidance

(a) ‘personal data’, ‘special categories of outside the EEA.

data/sensitive data’, ‘process/processing’,
‘controller’, ‘processor’, ‘data subject’ and A brief overview of these
‘supervisory authority’ shall have the same definitions are:
meaning as in Directive 95/46/EC of the
European Parliament and of the Council of “Personal data”
24 October 1995 on the protection of Information relating to an
individuals with regard to the processing of identified or identifiable natural
personal data and on the free movement of person.
such data
“Special categories of data”
Personal data which relates to an
individual’s race, ethnic origin,
politics, religion, trade union
membership, genetics, biometrics
(where used for ID purposes),
health, sex life, or sexual
orientation.

“Process/processing”
In practice means anything which
can be done to data, including
collection, recording,
organisation, structuring,
storage, adaptation or alteration,
retrieval, consultation, use,
disclosure by transmission,
dissemination or otherwise
making available, alignment or
combination, restriction, erasure
or destruction.

“Controller”
A natural or legal person which
decides the purposes and means
of processing data

“Processor”
A natural or legal person which is
responsible for processing
personal data on behalf of a
controller

“Data subject”
The individual that personal data
relates to.

“Supervisory authority”
An independent national data
 Non-legally binding guidance

protection authority, such as the

ICO.

(b) ‘the data exporter’ shall mean the controller This is the sender/exporter of the
who transfers the personal data; personal data, set out on page 1.

(c) ‘the data importer’ shall mean the controller This is the receiver/importer of
who agrees to receive from the data the personal data, set out on
exporter personal data for further page 2.
processing in accordance with the terms of
these clauses and who is not subject to a The definition clarifies that the
third country’s system ensuring adequate importer cannot be in a country
protection covered by a European
Commission “adequacy decision”.

This is a decision by the EU

Commission that the legal
framework in a country (or
territory or sector) provides an
adequate level of data protection
for personal data. You do not
need to use the standard
contractual clauses if the
importer is covered by an
adequacy decision.

(d) “clauses” shall mean these contractual The definition clarifies that these
clauses, which are a free-standing document clauses are standalone, and that
that does not incorporate commercial they do not incorporate the terms
business terms established by the parties of any separate commercial
under separate commercial arrangements. agreement.

The details of the transfer (as well as the This explains that specific details
personal data covered) are specified in Annex B, relating to the restricted transfer
which forms an integral part of the clauses. are set out in Annex B and form
part of the standard contractual
clauses. (The parties are required
to fill out Annex B and we
provide guidance on this below).

I. Obligations The data exporter warrants and undertakes that: Section I sets out the general
of the data commitments which the exporter
exporter gives in relation to the data.
These commitments are
“warranties”, which are promises
given in a contract. If the
exporter does not comply with a
warranty, this may lead to a
claim from the importer for
damages.

In addition, if the exporter does

 Non-legally binding guidance

not comply with certain

warranties, this may lead to a
claim from data subjects. We
have indicated below where a
data subject can take such action
in relation to a clause.

I(a) The personal data have been collected, processed The exporter of the data must
and transferred in accordance with the laws make sure that it has complied
applicable to the data exporter. with both the GDPR and the
national laws of its own country,
when it collects, uses, and
transfers the personal data being
sent under the standard
contractual clauses.

If the exporter is established in

the UK, the applicable data
protection law will be the GDPR
and the Data Protection Act 2018
("DPA 2018").

I(b) It has used reasonable efforts to determine that The exporter must take steps to
the data importer is able to satisfy its legal make sure that the receiver can
obligations under these clauses. comply with its obligations under
the standard contractual clauses.

In practice, the sender should

carry out due diligence on the
receiver. This might include
asking questions about the
receiver’s data protection
practices, reviewing its security
measures and reviewing its
privacy policy.

Data subjects can take action

directly against an exporter who
does not comply with its
obligations under this clause. The
exporter will be responsible in
this situation for showing that it
has made reasonable efforts to
determine that the receiver can
comply with its obligations under
the standard contractual clauses.

Data subject enforcement

against:
þ Exporter

I(c) It will provide the data importer, when so The exporter must provide copies
 Non-legally binding guidance

requested, with copies of relevant data protection of relevant data protection laws
laws or references to them (where relevant, and of its country to the importer, if
not including legal advice) of the country in which the importer requests them.
the data exporter is established.
If the exporter is established in
the UK, the applicable data
protection law will be the GDPR
and the DPA 2018.

The exporter is not required to

provide legal advice to the
importer.

I(d) It will respond to enquiries from data subjects The exporter must respond to
and the authority concerning processing of the enquiries from data subjects or
personal data by the data importer, unless the its supervisory authority about
parties have agreed that the data importer will so the processing of the data by the
respond, in which case the data exporter will still receiver. The exporter must
respond to the extent reasonably possible and provide these responses within a
with the information reasonably available to it if reasonable time.
the data importer is unwilling or unable to
respond. Responses will be made within a However, the parties can decide
reasonable time. that the importer will respond to
enquiries instead of the exporter.
But if the importer is not able to
or is not willing to respond to the
enquiry, the exporter must
respond instead.

Data subjects can take action

directly against an exporter who
does not comply with its
obligations under this clause.

Data subject enforcement

against:
þ Exporter

I(e) It will make available, upon request, a copy of The exporter must provide a copy
the clauses to data subjects who are third party of the standard contractual
beneficiaries under clause III, unless the clauses clauses to data subjects who
contain confidential information, in which case it request them.
may remove such information. Where information
is removed, the data exporter shall inform data The exporter can remove
subjects in writing of the reason for removal and confidential information
of their right to draw the removal to the attention beforehand as long as it tells the
of the authority. However, the data exporter shall data subjects in writing that it
abide by a decision of the authority regarding has done this, and why, and tells
access to the full text of the clauses by data data subjects that they can
subjects, as long as data subjects have agreed to complain to its supervisory
respect the confidentiality of the confidential authority about the removal.
information removed. The data exporter shall
 Non-legally binding guidance

also provide a copy of the clauses to the The supervisory authority has
authority where required. power to order the exporter to
provide a full copy of the
standard contractual clauses to
data subjects.

The exporter must also provide a

copy (without any deletions) of
the standard contractual clauses
to the supervisory authority, if
the supervisory authority
requests.

Data subjects can take action

directly against an exporter who
does not comply with its
obligations under this clause.

Data subject enforcement

against:
þ Exporter

II. Obligations The data importer warrants and undertakes that: Section II sets out the general
of the data commitments which the importer
importer gives in relation to the data.

These commitments are

“warranties”, which are promises
given in a contract.

If the importer does not comply

with a warranty, this may lead to
a claim from the exporter for
damages. In addition, if the
importer does not comply with
certain obligations, this may lead
to a claim from data subjects.

The obligations in this section are

intended to make sure that the
importer, who is not subject to
the GDPR, provides the same
level of protection for the
personal data as required under
the GDPR.
 Non-legally binding guidance

II(a) It will have in place appropriate technical and The importer must provide
organisational measures to protect the personal appropriate technical and
data against accidental or unlawful destruction or organisational security measures
accidental loss, alteration, unauthorised to protect the personal data.
disclosure or access, and which provide a level of When deciding what measures
security appropriate to the risk represented by are appropriate, the importer
the processing and the nature of the data to be should think about the type of
protected. data (eg how sensitive it is), the
type of processing carried out (eg
how intrusive it is) and the likely
harm which could come to data
subjects if the data were lost,
stolen or accessed by an
unauthorised person.

The GDPR, or the standard

contractual clauses themselves,
do not specify any particular
mandatory security
requirements. It is for the parties
to decide what is appropriate in
any particular case. For more
guidance on technical and
organisation measures see the
ICO Guide to the GDPR.

Data subjects can take action

directly against an importer who
does not comply with its
obligations under this clause.

Data subject enforcement

against:
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

II(b) It will have in place procedures so that any third This clause applies where the
party it authorises to have access to the personal importer allows any third-party to
data, including processors, will respect and access the data. These third
maintain the confidentiality and security of the parties could be other controllers
personal data. Any person acting under the or processors.
authority of the data importer, including a data
processor, shall be obligated to process the If the importer allows a third-
personal data only on instructions from the data party to access the data, it must
importer. This provision does not apply to ensure that these third parties:
persons authorised or required by law or (i) maintain the confidentiality
regulation to have access to the personal data. and security of the data; and (ii)
only process the data according
 Non-legally binding guidance

to the importer's instructions. In

practice, it is good practice for
these matters should be set out
in a written agreement between
the importer and the third-party.

This clause does not apply if the

importer is required by law to
allow the third-party access to
the personal data.

II(c) It has no reason to believe, at the time of This clause requires the importer
entering into these clauses, in the existence of to consider its own national laws,
any local laws that would have a substantial when entering into the standard
adverse effect on the guarantees provided for contractual clauses. It should
under these clauses, and it will inform the data consider whether there are any
exporter (which will pass such notification on to which would have a substantial
the authority where required) if it becomes aware adverse effect on the guarantees
of any such laws. given under the standard
contractual clauses.

If the importer later becomes

aware of such a law, it must
inform the exporter and the
exporter must notify its
supervisory authority. If you are
an exporter in the UK your
supervisory authority will be the
ICO.

Data subjects can take action

directly against an importer who
does not comply with its
obligations under this clause.

Data subject enforcement

against:
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

II(d) It will process the personal data for purposes The parties are required to fill in
described in Annex B, and has the legal authority Annex B with various details,
to give the warranties and fulfil the undertakings including the purposes for which
set out in these clauses the importer will process the
data. The purpose of processing
is something which must be
agreed between the parties at
the outset.
 Non-legally binding guidance

The importer must only process

the data for the purposes which
the parties have set out in Annex
B. The importer must not process
the data for any other purpose.

The importer must confirm it is

able to give the warranties, and
to fulfil its obligations, contained
in the standard contractual
clauses.

Data subjects can take action

directly against an importer who
does not comply with its
obligations under this clause.

Data subject enforcement

against:
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

II(e) It will identify to the data exporter a contact The importer must give the
point within its organisation authorised to exporter a contact point in its
respond to enquiries concerning processing of the organisation who is authorised to
personal data, and will cooperate in good faith respond to enquiries about the
with the data exporter, the data subject and the importer's processing of the data.
authority concerning all such enquiries within a If the importer has a data
reasonable time. In case of legal dissolution of protection officer, this person
the data exporter, or if the parties have so might be the appropriate contact
agreed, the data importer will assume point.
responsibility for compliance with the provisions
of clause I(e). The importer must cooperate in
good faith with the exporter, data
subjects and supervisory
authority in relation to enquiries
about its processing. The
importer must also respond to
these enquiries within a
reasonable time.

If the exporter is legally dissolved

(i.e. it no longer exists) or if the
parties have agreed, the importer
must take on responsibility for
providing copies of the standard
contractual clauses to data
subjects and supervisory
 Non-legally binding guidance

authorities on request.

Data subject enforcement

against:
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

II(f) At the request of the data exporter, it will provide The importer must provide the
the data exporter with evidence of financial exporter, upon request, with
resources sufficient to fulfil its responsibilities evidence to show it has the
under clause III (which may include insurance financial resources to meet any
coverage). claims made against it by data
subjects for breaches of the
standard contractual clauses.

II(g) Upon reasonable request of the data exporter, it The exporter (or a third-party
will submit its data processing facilities, data files auditor appointed by the
and documentation needed for processing to exporter) is entitled to audit the
reviewing, auditing and/or certifying by the data importer's processing of the data
exporter (or any independent or impartial and compliance with the standard
inspection agents or auditors, selected by the contractual clauses. The exporter
data exporter and not reasonably objected to by must give the importer
the data importer) to ascertain compliance with reasonable notice and the audit
the warranties and undertakings in these clauses, must be carried out in normal
with reasonable notice and during regular business hours.
business hours. The request will be subject to
any necessary consent or approval from a The exporter must also make
regulatory or supervisory authority within the sure that it has obtained any
country of the data importer, which consent or consent it needs to carry out the
approval the data importer will attempt to obtain audit from the relevant
in a timely fashion. regulatory or supervisory
authorities in the importer's
country.

II(h) It will process the personal data, at its option, in The importer must choose and
accordance with: agree to apply one of the
following data protection
(i) the data protection laws of the country in standards when processing the
which the data exporter is established, or data.

(ii) the relevant provisions1of any

(i) The data protection laws of
Commission decision pursuant to Article
the exporter's country - if the
25(6) of Directive 95/46/EC, where the
exporter is based in the UK this
data importer complies with the relevant
will be the GDPR and the DPA
 Non-legally binding guidance

provisions of such an authorisation or 2018.

decision and is based in a country to
which such an authorisation or decision If the exporter is based in
pertains, but is not covered by such another EEA country it will be the
authorisation or decision for the purposes GDPR and the local data
of the transfer(s) of the personal data2, or protection law which contains
those local law provisions allowed
(iii) the data processing principles set forth in by the GDPR.
Annex A.
(ii) European Commission
adequacy decisions (which do
not relate to the importer’s
business or sector) – if there is
an adequacy decision for the
country in which the importer is
based, but the adequacy decision
only applies to a particular sector
– the importer may choose to
apply the standards of that
adequacy decision.

Currently this may apply only in

Canada (where the adequacy
decision only applies to data
protected by Canada’s Personal
Information protection and
Electronic Documents Act) and
the USA (where the adequacy
decision only applies to data
covered by the Privacy Shield).

If the importer chooses option

(ii), it may still need to comply
with principle 5 of Annex A (see
the guidance on Annex A for
more details).

(iii) The processing principles

in Annex A to the standard
contractual clauses (set out
below). This is the option most
frequently chosen by importers.

Data subject enforcement:

þ Importer (if the exporter
fails to take action
against the importer,
when requested by the

2
However, the provisions of Annex A.5 concerning rights of access, rectification, deletion and
objection must be applied when this option is chosen and take precedence over any comparable
provisions of the Commission Decision selected.
 Non-legally binding guidance

data subject)

Data importer to indicate which option it selects: → ACTION: The importer must
indicate whether it has chosen
(please click in the box next to the chosen option (i), (ii) or (iii).
option)
It must also sign or initial this
(i) ☐ the data protection laws of the country section.
in which the data exporter is established, or
In practice, the majority of
(ii) ☐ the relevant provisions3of any
importers (particularly small
Commission decision pursuant to Article
and medium sized
25(6) of Directive 95/46/EC, where the
businesses) find option (iii)
data importer complies with the relevant
the most straightforward to
provisions of such an authorisation or
implement.
decision and is based in a country to which
such an authorisation or decision pertains,
This is because all of the
but is not covered by such authorisation or
processing principles it needs to
decision for the purposes of the transfer(s)
comply with are set out in Annex
of the personal data4, or A and will not change during the
(iii) ☐ the data processing principles set forth contract period.
in Annex A.
This is not the case for options (i)
or (ii). To use option (i), the
importer would need keep up to
date with data protection laws in
the exporter’s country and
ensure that its processing
complies with these laws.

To use option (ii), the importer

would need to familiarise itself
with the requirements of the
relevant adequacy decision (and
keep up to date with any
changes) and ensure that its
processing is in line with these
requirements.

Initials of data importer: → ACTION: The importer

should sign or initial where
indicated.

II(i) It will not disclose or transfer the personal data This clause applies to

3
“Relevant provisions” means those provisions of any authorisation or decision except for the
enforcement provisions of any authorisation or decision (which shall be governed by these
clauses).

4
However, the provisions of Annex A.5 concerning rights of access, rectification, deletion and
objection must be applied when this option is chosen and take precedence over any comparable
provisions of the Commission Decision selected.
 Non-legally binding guidance

to a third party data controller located outside disclosures/onward transfers by

the European Economic Area (EEA) unless it the importer of the data.
notifies the data exporter about the transfer and
If the importer wants to
(i) the third party data controller processes disclose/transfer the data to a
the personal data in accordance with a third-party controller which is
Commission decision finding that a third also outside the EEA (including in
country provides adequate protection, or the same country as the
importer), it must notify the
(ii) the third party data controller becomes a
exporter.
signatory to these clauses or another data
transfer agreement approved by a
The importer must also ensure
competent authority in the EU, or
that one of the 4 options given in
(iii) data subjects have been given the this clause applies. These are:
opportunity to object, after having been
Option 1: the third-party
informed of the purposes of the transfer,
controller processes the data in
the categories of recipients and the fact
accordance with an adequacy
that the countries to which data is
decision by the European
exported may have different data
Commission (i.e. a decision that
protection standards, or
a particular non-EEA country's
(iv) with regard to onward transfers of laws provide an adequate level of
sensitive data, data subjects have given protection for personal data). For
their unambiguous consent to the onward more information on adequacy
transfer. decision, see the section on
International Transfers in the ICO
Guide to the GDPR.

Option 2: the third-party

controller signs the standard
contractual clauses or another
data transfer agreement
approved by an EU supervisory
authority.

Option 3: the data subjects have

been informed of the following:

• the purpose of the transfer to

the third-party receiver;

• the categories of third-party

receivers;

• the fact that the countries

where the data may go to
may have different data
protection standards,

and were given the chance to

object and didn’t.

Option 4: if sensitive data (i.e.

special categories of data) is
being disclosed/transferred, the
data subjects have
unambiguously consented to the
 Non-legally binding guidance

disclosure/transfer.

Data subject enforcement

against:
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

III Liability and Section III sets out which parties

third party will be liable for breaches of the
rights standard contractual clauses.

It also sets out data subjects’

rights to enforce compliance by
the exporter and importer with
the standard contractual clauses.

III(a) Each party shall be liable to the other parties for This clause provides that each
damages it causes by any breach of these party must compensate the other
clauses. Liability as between the parties is limited for damage caused by any breach
to actual damage suffered. Punitive damages of the standard contractual
(i.e. damages intended to punish a party for its clauses.
outrageous conduct) are specifically excluded.
Each party shall be liable to data subjects for This compensation is only for
damages it causes by any breach of third party actual damage suffered by the
rights under these clauses. This does not affect other party. It does not include
the liability of the data exporter under its data punitive damages (damages to
protection law. punish the party for breaching
the standard contractual
clauses).

• The importer and the

exporter must compensate data
subjects for any damages each of
them causes to the data subject
by breaching those clauses which
are enforceable by a data
subject.
•
This is a third-party right; data
subjects are not party to the
standard contractual clauses but
are given the right to enforce
certain clauses. These clauses
are listed in clause III(b), below,
and are highlighted in the
relevant sections of this
guidance.
 Non-legally binding guidance

Data subject enforcement

against:
þ Exporter
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

III(b) • The parties agree that a data subject Data subjects whose personal
shall have the right to enforce as a third party data is transferred can enforce
beneficiary this clause and clauses I(b), I(d), compliance with those provisions
I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), listed, directly against the
V, VI(d) and VII against the data importer or the exporter or importer.
data exporter, for their respective breach of their
contractual obligations, with regard to his If the data subject wants to bring
personal data, and accept jurisdiction for this a claim against the importer,
purpose in the data exporter’s country of they must first ask the exporter
establishment. In cases involving allegations of to take action against the
breach by the data importer, the data subject importer. If the exporter does not
must first request the data exporter to take take action within a month, the
appropriate action to enforce his rights against data subject may bring a claim
the data importer; if the data exporter does not against the importer.
take such action within a reasonable period
(which under normal circumstances would be one A data subject may also bring a
month), the data subject may then enforce his claim against an exporter if the
rights against the data importer directly. A data exporter did not use reasonable
subject is entitled to proceed directly against a efforts to verify that the importer
data exporter that has failed to use reasonable could comply with the standard
efforts to determine that the data importer is contractual clauses.
able to satisfy its legal obligations under these
clauses (the data exporter shall have the burden • Data subjects may bring
to prove that it took reasonable efforts). claims against either party in the
courts of the exporter's country.

Data subject enforcement

against:
þ Exporter
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

IV Law These clauses shall be governed by the law of the The standard contractual clauses
applicable to country in which the data exporter is established, are governed by the law of the
the clauses with the exception of the laws and regulations country where the exporter is
relating to processing of the personal data by the established.
data importer under clause II(h), which shall
apply only if so selected by the data importer However, the data protection
 Non-legally binding guidance

under that clause. laws of the data exporter's

country will only apply to the
importer if the importer selected
option (i) in clause II(h).

V Resolution of This clause sets out what the

disputes with importer and exporter must do
data subjects when dealing with claims and
or the authority disputes brought by data
subjects or the supervisory
authority.

V(a) In the event of a dispute or claim brought by a If a claim or dispute is brought

data subject or the authority concerning the against the exporter or the
processing of the personal data against either or importer, or both, by a data
both of the parties, the parties will inform each subject or supervisory authority,
other about any such disputes or claims, and will the exporter or importer must
cooperate with a view to settling them amicably inform one another.
in a timely fashion.
The exporter and importer must
cooperate with each other to try
to settle claims/disputes amicably
and in good time.

Data subject enforcement

against:
þ Exporter
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)
 Non-legally binding guidance

V(b) The parties agree to respond to any generally Data subjects and supervisory
available non-binding mediation procedure authorities can require that the
initiated by a data subject or by the authority. If exporter and/or importer take
they do participate in the proceedings, the part in any non-binding
parties may elect to do so remotely (such as by mediation procedure. Non-
telephone or other electronic means). The parties binding means that no one is
also agree to consider participating in any other bound by any decision or
arbitration, mediation or other dispute resolution agreement reached.
proceedings developed for data protection
disputes. The importer and exporter may
participate remotely in those
mediation proceedings (for
example, by telephone or video-
link).

The exporter and importer must

also consider using other dispute
resolution procedures outside of
court processes – such as
arbitration and binding mediation
– which are designed for data
protection disputes.

Data subject enforcement

against:
þ Exporter
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

V(c) Each party shall abide by a decision of a In relation to disputes with data
competent court of the data exporter’s country of subjects or a supervisory
establishment or of the authority which is final authority, the exporter and
and against which no further appeal is possible. importer agree to comply with
decisions made by a court or the
supervisory authority in the
exporter’s country, at the point
at which that decision is final and
cannot be appealed.
 Non-legally binding guidance

Data subject enforcement

against:
þ Exporter
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

VI Termination Section VI sets out the

circumstances in which the
parties can terminate the
standard contractual clauses and
the effect of this termination.

VI(a) In the event that the data importer is in breach The exporter can suspend the
of its obligations under these clauses, then the transfer of data to the importer
data exporter may temporarily suspend the on a temporary basis if the
transfer of personal data to the data importer importer breaches its obligations
until the breach is repaired or the contract is under the standard contractual
terminated. clauses.

Transfers of data can be

suspended until the importer
corrects the breach or the
contract terminated.

VI(b) In the event that: This clause sets out the

circumstances in which the
(i) the transfer of personal data to the data exporter or importer can
importer has been temporarily suspended terminate the standard
by the data exporter for longer than one contractual clauses.
month pursuant to paragraph (a);
(ii) compliance by the data importer with Circumstances in which the
these clauses would put it in breach of its importer and exporter can
legal or regulatory obligations in the terminate
country of import;
• Where the transfer has been
(iii) the data importer is in substantial or temporarily suspended for
persistent breach of any warranties or longer than one month under
undertakings given by it under these clause VI(a), above.
clauses;
• Where the importer would be
(iv) a final decision against which no further in breach of its own national
appeal is possible of a competent court of legal or regulatory obligations
the data exporter’s country of if it complied with the
establishment or of the authority rules standard contractual clauses.
that there has been a breach of the
• Where a court or a
clauses by the data importer or the data
supervisory authority in the
exporter; or
exporter's country has ruled
(v) a petition is presented for the that either the importer or
administration or winding up of the data exporter has breached the
 Non-legally binding guidance

importer, whether in its personal or standard contractual clauses.

business capacity, which petition is not This must be a final decision,
dismissed within the applicable period for which cannot be appealed.
such dismissal under applicable law; a
Circumstances in which only the
winding up order is made; a receiver is
exporter can terminate
appointed over any of its assets; a trustee
in bankruptcy is appointed, if the data • Where the importer has
importer is an individual; a company substantially or persistently
voluntary arrangement is commenced by breached any of its
it; or any equivalent event in any obligations under the
jurisdiction occurs standard contractual clauses.

then the data exporter, without prejudice to any • Where the importer becomes
other rights which it may have against the data insolvent, goes into
importer, shall be entitled to terminate these administration or liquidation,
clauses, in which case the authority shall be is being wound up, or any
informed where required. In cases covered by (i), equivalent event in any
(ii), or (iv) above the data importer may also country is underway.
terminate these clauses.
The data exporter may need to
inform the supervisory authority
in its country, if that is required
by local law. This would not be
the case if the data exporter is in
the UK.

VI(c) Either party may terminate these clauses if (i) Either the exporter or the
any Commission positive adequacy decision importer may also terminate the
under Article 25(6) of Directive 95/46/EC (or any standard contractual clauses in
superseding text) is issued in relation to the the following circumstances.
country (or a sector thereof) to which the data is
• If the European Commission
transferred and processed by the data importer,
makes an adequacy decision
or (ii) Directive 95/46/EC (or any superseding
that the country, territory or
text) becomes directly applicable in such country.
sector to which the data is
transferred provides adequate
protection for personal data.
(This is because if the
country, territory or sector is
considered adequate then
“appropriate safeguards”,
such as the standard
contractual clauses, would no
longer be required to transfer
the data).

• If the country to which the

data is being transferred
became subject to the GDPR
(eg if it joined the EU).
 Non-legally binding guidance

(d) The parties agree that the termination of these Even if the standard contractual
clauses at any time, in any circumstances and for clauses are terminated, both
whatever reason (except for termination under parties must continue to comply
clause VI(c)) does not exempt them from the with the clauses for as long as
obligations and/or conditions under the clauses the importer processes the data
as regards the processing of the personal data (even if it is only storing it).
transferred
This does not apply where either
party terminates the standard
contractual clauses because the
country to which the data is
being transferred became subject
to the GDPR (eg because it joined
the EU).

Data subject enforcement

against:
þ Exporter
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

VII Variation of The parties may not modify these clauses except The parties must not amend the
these clauses to update any information in Annex B, in which standard contractual clauses
case they will inform the authority where (Although they must fill in Annex
required. This does not preclude the parties from B and select the relevant option
adding additional commercial clauses where in clause II(h)).
required.
Data subject enforcement
against:
þ Exporter
þ Importer (if the exporter
fails to take action
against the importer,
when requested by the
data subject)

VIII The details of the transfer and of the personal The parties must fill in Annex B
Description of data are specified in Annex B. The parties agree of the standard contractual
the transfer that Annex B may contain confidential business clauses with the details of the
information which they will not disclose to third transfer.
parties, except as required by law or in response
to a competent regulatory or government This clause acknowledges that
agency, or as required under clause I(e). The some of the information which
parties may execute additional annexes to cover the parties may include in Annex
additional transfers, which will be submitted to B may be confidential and would
the authority where required. Annex B may, in not therefore be disclosed to
the alternative, be drafted to cover multiple third parties (such as data
transfers. subjects).
 Non-legally binding guidance

It also states that Annex B may

be drafted to cover multiple
transfers. It says that the parties
may add additional annexes to
the standard contractual clauses,
if they later wish to make
additional transfers with different
details.

There is a reference in this clause

to submitting the annexes to the
supervisory authority. This does
not apply to exporters in the UK
as UK law does not require the
ICO to approve or review
completed sets of standard
contractual clauses.

Additional The parties are able to add additional commercial You may add in any additional
commercial clauses. commercial clauses to the
clauses standard contractual clauses.
When including additional commercial clauses,
the parties should ensure that these clauses do You do not need to add any of
not in any way: these clauses in order to comply
with the GDPR rules on transfers.
• overlap with or contradict the standard
contractual clauses;
When including additional
• reduce the level of protection which the commercial clauses, the parties
data importer is required to provide for should ensure that these clauses
the personal data; or do not in any way:

• reduce the rights of data subjects, or • overlap with or contradict the

make it any more difficult for them to standard contractual clauses;
exercise their rights.
• reduce the level of protection
If you are unsure whether you can add a which the data importer is
particular additional clause or not, you should required to provide for the
consider adding it to your main controller – personal data; or
processor agreement, and including a clause in
• reduce the rights of data
that agreement which says that if there is any
subjects, or make it any more
conflict between a provision of that agreement
difficult for them to exercise
and a provision of the standard contractual
their rights.
clauses, the provision in the standard contractual
clauses will prevail.
We would not recommend
including in the standard
contractual clauses those terms
required under GDPR for a
controller- processor contract. In
nearly all cases it is better to
have those in a separate
agreement.
 Non-legally binding guidance

Indemnification Please click the box if you wish to include the The standard contractual clauses
following optional clause: contain this indemnification
clause as an example of an
☐ Include additional clause which you could
include.
Indemnification between the data exporter and
data importer: This example is optional – you do
not need to include it, and you
The parties will indemnify each other and hold can choose to add other
each other harmless from any cost, charge, additional commercial clauses
damages, expense or loss which they cause each instead of, or in addition to, this
other as a result of their breach of any of the example. You can also amend
provisions of these clauses. this example.
Indemnification hereunder is contingent upon (a)
the party(ies) to be indemnified (the “indemnified The clause is a mutual indemnity:
party(ies)”) promptly notifying the other
• the importer indemnifies the
party(ies) (the “indemnifying party(ies)”) of a
exporter; and
claim, (b) the indemnifying party(ies) having sole
control of the defence and settlement of any such • the exporter indemnifies the
claim, and (c) the indemnified party(ies) importer;
providing reasonable cooperation and assistance
to the indemnifying party(ies) in defence of such
if either of them is in breach of
claim.”.
the standard contractual clauses.

In this context, an “indemnity”

means that the party in breach
has to fully compensate the other
for its losses which arise from its
breach. This may be more than
just a standard claim for breach
of contract, where damages can
be claimed.

This clause provides a route for

an innocent party to claim back
from the other any compensation
it has had to pay to a data
subject under the standard
contractual clauses, arising from
a breach by that other party.

This example indemnity is wider

than that, and provides additional
compensation for any breach of
the standard contractual clauses.

Indemnities are often dealt with

in the main agreement between
the parties.
 Non-legally binding guidance

Dispute Please click the box if you wish to include the The standard contractual clauses
resolution following optional clause: contain this as an example of an
optional additional clause.
☐ Include It sets out what will happen if
there is a dispute between the
Dispute resolution between the data exporter and importer and the exporter in
data importer (the parties may of course relation to the standard
substitute any other alternative dispute contractual clauses.
resolution or jurisdictional clause):
If the parties are unable to
In the event of a dispute between the data resolve the dispute between
importer and the data exporter concerning any themselves, they will settle the
alleged breach of any provision of these clauses, dispute using the arbitration rules
such dispute shall be finally settled under the of the International Chamber of
rules of arbitration of the International Chamber Commerce.
of Commerce by one or more arbitrators
appointed in accordance with the said rules. The exporter and importer need
to agree where the arbitration
The place of arbitration shall be (insert location, will take place. It could be the
which can be the country of either the importer country of either the exporter or
or exporter or a neutral location: importer or a neutral location.
The exporter and importer also
The number of arbitrators shall be (insert number need to decide on the number of
of arbitrators): arbitrators.

Arbitration can be just as

expensive as using the courts. It
can be helpful for international
disputes. So, before you include
this clause you should consider
taking appropriate professional
advice

Allocation of Please click the box if you wish to include the The standard contractual clauses
costs following optional clause: contain this as an example of an
optional additional clause.
☐ Include It explains that each party is
responsible for its own costs of
Each party shall perform its obligations under complying with the standard
these clauses at its own cost. contractual clauses.

Extra Please click the box if you wish to include the The standard contractual clauses
termination following optional clause: contain this as an example of an
clause optional additional clause.
☐ Include
It sets out requirements on the
Extra termination clause: importer to return the personal
data to the exporter or destroy it
In the event of termination of these clauses, the
(if the exporter asks it to), if the
data importer must return all personal data and
standard contractual clauses are
all copies of the personal data subject to these
terminated.
clauses to the data exporter forthwith or, at the
data exporter’s choice, will destroy all copies of
the same and certify to the data exporter that it
 Non-legally binding guidance

has done so, unless the data importer is

prevented by its national law or local regulator
from destroying or returning all or part of such
data, in which event the data will be kept
confidential and will not be actively processed for
any purpose. The data importer agrees that, if so
requested by the data exporter, it will allow the
data exporter, or an inspection agent selected by
the data exporter and not reasonably objected to
by the data importer, access to its establishment
to verify that this has been done, with reasonable
notice and during business hours.”

Priority of Please click the box if you wish to include the This clause is provided by the
standard following optional clause: ICO, as it may be helpful to you.
contractual
clauses ☐ Include Please review it carefully and
only include it if you think it is
The Clauses take priority over any other appropriate for your
agreement between the parties, whether entered circumstances.
into before or after the date the Clauses are
entered into. The intended effect of the clause
is to make sure that you and the
Unless the Clauses are expressly referred to and other party do not inadvertently
expressly amended, the parties do not intend amend the standard contractual
that any other agreement entered into by the clauses or limit your liability. If
parties, before or after the date the Clauses are you did, then you would risk not
entered into, will amend the terms or the effects being able to rely on the
of the Clauses, or limit any liability under the standard contractual clauses for
Clauses, and no term of any such other compliance with the GDPR rules
agreement should be read or interpreted as on restricted transfers.
having that effect.
The clause allows you the
freedom to amend the standard
contractual clauses, but only if
you expressly refer to them.

If you are going to amend the

standard contractual clauses, we
would always recommend you
seek professional legal advice.

Any amendment runs the risk

that the standard contractual
clauses will not comply with the
GDPR rules on restricted
transfers.

Effective date Please click the box if you wish to include the This clause is provided by the
of the Standard following optional clause: ICO, as it may be helpful to you,
Contractual if:
 Non-legally binding guidance

Clauses ☐ Include • you wish to use the standard

contractual clauses to enable
The parties intend that these Clauses should only you to continue to receive
become effective if Art 44 of the General Data transfers of personal data
Protection Regulation (the “GDPR”) applies to a from the EEA into the UK; and
transfer of personal data from the EEA to the UK,
• you are entering into the
because the UK has left the European Union, and
standard contractual clauses
the transfer is not permitted under Art 45.
before the date the UK exits
the EU or before the end of
On that basis, the Clauses will become effective
any implementation period.
on:

(i) the first date Article 44 GDPR applies to a

Please review it carefully and
transfer of personal data from the EEA to
only include it if you think it is
the UK, and that transfer is not permitted
appropriate for your
under Article 45 GDPR; or
circumstances.
(ii) the date of the Standard Contractual
Clauses, if later. The intended effect of this clause
is to make the standard
In this clause, “a transfer of personal data” has
contractual clauses only come
the same meaning as in Article 44 of the GDPR.
into effect on the later date of:

(i) the date the UK exits the EU,

if it exits without a deal which
allows personal data to continue
to flow from the EEA to the UK or
without an “adequacy decision”
(a decision by the European
Commission that the UK data
protection regime provides
sufficient protection for personal
data); and

(ii) the date of the standard

contractual clauses, if that is
later. (This date is set out below
the signatures)

This allows you to enter into the

standard contractual clauses
before the UK exits the EU and
before the end of the
implementation period (if there is
one).

You do not need to include this

clause if you are entering into the
standard contractual clauses
after the UK has exited the EU
without a deal which allows
personal data to continue to flow
from the EEA to the UK or
 Non-legally binding guidance

without an adequacy decision.

On behalf of the data exporter: → ACTION: The exporter should

Name (written out in full): fill in this section with the:

Click here to enter text. • Full name of the person

signing. This must be a
Position:
person who is authorised to
Click here to enter text. enter into contracts on behalf
of the exporter.
Address:
• Their position.
Click here to enter text.
• Their business addresses.
Other information necessary in order for the contract to be binding (if
any): Click here to enter text.
And sign where indicated.
Signature:

On behalf of the data importer: → ACTION: The importer should

fill in this section with the:
Name (written out in full):
• Full name of the person
Click here to enter text.
signing. This must be a
Position: person who is authorised to
enter into contracts on behalf
Click here to enter text.
of the importer.
Address:
• Their position.
Click here to enter text.
• Their business addresses.
Other information necessary in order for the contract to be binding (if
And sign where indicated.
any):

Signature:

Date of the Standard Contractual Clauses: Do not date the standard

contractual clauses until both the
exporter and importer have
signed.

It can be the date of the last

signature, or a later date if that
is agreed by the exporter and
importer.
Non-legally binding guidance

Annex A
Annex A sets out the data processing principles which the importer must comply with if it selects
this option in clause II(h), above.

The principles were written by reference to Directive 95/46/EC and broadly align to equivalent
principles set out in the GPDR.
1
Purpose limitation: Personal data may be processed and subsequently used or further
communicated only for purposes described in Annex B or subsequently authorised by the data
subject.
The importer can only use, disclose and make onward transfers of the data for the purposes listed
in Annex B, or for other purposes which have been agreed to by the data subject after the
standard contractual clauses have been entered into.

This principle broadly aligns with Article 5(1)(b) of the GDPR which sets out the principle of
purpose limitation. It requires that personal data must be collected for specified, explicit and
legitimate purposes and not further processed in a manner that is incompatible with those
purposes.

In practice, the parties must be clear on how the importer intends to use the data, and this should
be recorded in appropriate detail in Annex B.

If the importer later wishes to use the data for a different purpose, this will only be possible if the
data subject agrees to this different purpose.
2
Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to
date. The personal data must be adequate, relevant and not excessive in relation to the purposes
for which they are transferred and further processed.
The importer should ensure that the data is accurate and kept up to date, and that the personal
data transferred to it is adequate, relevant and not excessive in relation to the purpose for which it
is processed.

This principle broadly aligns with Article 5(1)(c) of the GDPR which sets out the principle of data
minimisation. It requires that personal data must be adequate, relevant and limited to what is
necessary in relation to the purposes for which it is processed.

In practice, the importer should only request from the exporter, and the exporter should only
transfer data to the importer which is necessary for the importer's purpose. Data should not be
transferred "just in case" it may be useful in future.
3

Transparency: Data subjects must be provided with information necessary to ensure fair
processing (such as information about the purposes of processing and about the transfer), unless
such information has already been given by the data exporter.
The importer must provide data subjects with information about how their data will be processed.
The importer is not required to do this if the information has already been provided to the data
subject by the exporter.
This principle broadly ties in with part of Article 5(1)(a) of the GDPR. This requires data to be
processed fairly, lawfully and in a transparent manner in relation to the data subject.
What is “necessary to ensure fair processing” is a matter of interpretation. A court may look to the
GDPR to assess what is considered appropriate information to be provided in relation to the use of
the personal data by the importer. It may be prudent to look at the list of requirements in Art 14
of GDPR as a starting point. The key elements being:

• the identity and contact details of the importer (and where there is one, the importer’s EU
representative and data protection officer);

• the purposes of the processing;

• the categories of personal data concerned;

• recipients or categories of recipients of the personal data from the importer;

• the period for which the personal data is to be held by the importer, or the criteria used to
decide that period;

• the existence of the data subject’s rights of access, rectification, deletion and objection (as set
out below);

• the right to complain to a supervisory authority (it would be the one in the country where the
exporter is based); and

• the existence of automated decision making, meaningful information about the logic involved in
that, and the significance and envisaged consequences of such processing.

4
Security and confidentiality: Technical and organisational security measures must be taken by the
data controller that are appropriate to the risks, such as against accidental or unlawful destruction
or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any
person acting under the authority of the data controller, including a processor, must not process
the data except on instructions from the data controller.
The importer must provide appropriate technical and organisational security measures for the
personal data which is being transferred.

This principle broadly aligns with the integrity and confidentiality principle in Article 5(1)(f) of the
GPDR.

This requires personal data to be processed in a manner that ensures appropriate security of the
data, including protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures. For more guidance
on technical and organisation measures see the ICO’s Guide to the GDPR.

Neither the GDPR nor the standard contractual clauses set out any mandatory security measures.
It is for the importer to decide what is appropriate.

In doing so, the importer should think about the type of data (eg how confidential or sensitive it
is), the type of processing carried out (eg how intrusive it is) and the likely harm which could come
to data subjects if the data were lost, stolen or accessed by an unauthorised person.
5
Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive
95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal
information about them that an organisation holds, except for requests which are manifestly
abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for
which access need not be granted under the law of the country of the data exporter.

Provided that the authority has given its prior approval, access need also not be granted when
doing so would be likely to seriously harm the interests of the data importer or other organisations
dealing with the data importer and such interests are not overridden by the interests for
fundamental rights and freedoms of the data subject. The sources of the personal data need not
be identified when this is not possible by reasonable efforts, or where the rights of persons other
than the individual would be violated.

Data subjects must be able to have the personal information about them rectified, amended, or
deleted where it is inaccurate or processed against these principles. If there are compelling
grounds to doubt the legitimacy of the request, the organisation may require further justifications
before proceeding to rectification, amendment or deletion. Notification of any rectification,
amendment or deletion to third parties to whom the data have been disclosed need not be made
when this involves a disproportionate effort.

A data subject must also be able to object to the processing of the personal data relating to him if
there are compelling legitimate grounds relating to his particular situation. The burden of proof for
any refusal rests on the data importer, and the data subject may always challenge a refusal before
the authority.
The importer must provide data subjects with rights of access, rectification, deletion and objection.

Rights of access
Broadly speaking, “rights of access” means the right of the data subject to be given access to their
personal data which is being processed, and often to receive a copy.

The standard contractual clauses are not intended to grant rights of access which go beyond those
in the law of the data exporter's country. For a UK exporter, rights of access are governed by the
GDPR and DPA 2018. An importer who receives data from the UK should therefore look at the
rights of access and various exemptions in the GDPR and the DPA 2018 when assessing how to
respond to a request. The ICO's guidance on data subject rights can be found in its Guide to
GDPR.

This principle sets out circumstances in which the importer does not need to provide the data
subject with rights of access.

• The importer does not have to provide the right of access if a request is “manifestly abusive”.
This includes where the data subject has made a large number of requests or has made
repetitive or systematic requests.

• The importer can also refuse access if it would be likely to seriously harm the interests of the
importer (or other organisations dealing with the importer), and these interests are not
overridden by those of the data subject. If the importer is planning to refuse access on this
basis, then it must obtain the approval of the supervisory authority of the exporter (in the UK,
the ICO).

The principle also provides that a data subject does not have to be told the sources of the personal
data if this is not possible with a reasonable level of effort, or if it would violate the rights of
another person.

Rectification and deletion

Data subjects have the right to have the importer rectify, amend or delete their personal data if it
is inaccurate or if the importer has processed it in breach of the principles in Annex A.

The importer can request further information from the data subject if it has a very good reason to
believe that the request may not be legitimate. This may include requesting confirmation of the
data subject's identity, eg by asking for a copy of a passport or national identity document.
If a data subject makes a request to have their data rectified, amended or deleted, the importer
must tell any third parties to whom it has disclosed the data of such request, unless this involves
disproportionate effort.

Right to object
A data subject has the right to object to the processing of his/her data if there are compelling
legitimate grounds in a particular situation.
If the importer wants to continue processing the data, it must show that the grounds are not
compelling. If the importer does not stop processing, following an objection by the data subject,
the data subject can raise this with the supervisory authority of the exporter (in the UK the ICO).
If an importer has chosen option (ii) under clause II(h) (complying with a European Commission
finding of adequacy), it should note that principle 5 of Annex A still applies to it, and the provisions
of principle 5 will apply over and above any similar provision of the European Commission decision.
6
Sensitive data: The data importer shall take such additional measures (eg relating to security) as
are necessary to protect such sensitive data in accordance with its obligations under clause II.
The importer must provide additional protection, including by security measures, to protect
“sensitive data”.

Due to the way the definitions operate, sensitive data is equivalent to “special categories of data”
in the GDPR and are listed in the Definitions section above.

In practice, importers should ensure that enhanced security measures are in place for this data.
These could include stricter access controls on a need to know basis, pseudonymisation and/or
limited retention periods.
7
Data used for marketing purposes: Where data are processed for the purposes of direct marketing,
effective procedures should exist allowing the data subject at any time to “opt-out” from having
his data used for such purposes.
The importer must provide procedures allowing data subjects to opt out, at any time, of the use of
their data for direct marketing purposes (if it is used for that purpose).

This principle aligns with data subjects' right under Article 21(3) of the GDPR. This provides that if
a data subject objects to its data being used for direct marketing purposes, then the data
controller must stop using the data for that purpose.
8
Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data
exporter or the data importer which produces legal effects concerning a data subject or
significantly affects a data subject and which is based solely on automated processing of personal
data intended to evaluate certain personal aspects relating to him, such as his performance at
work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated
decisions concerning data subjects, except when:

(a) (i) such decisions are made by the data importer in entering into or performing a contract with
the data subject, and

(ii) (the data subject is given an opportunity to discuss the results of a relevant automated
decision with a representative of the parties making such decision or otherwise to make
representations to that parties.

or

(b) where otherwise provided by the law of the data exporter.

This principle restricts the ability of the importer to make automated decisions. Automated
decisions are decisions which are made by the importer/exporter which:

• produce legal effects on a data subject or significantly affect them;

• are based solely on automated processing of personal data; and

• are intended to evaluate certain personal aspects relating to them, eg performance at work,
creditworthiness, reliability, conduct etc.
Automated decisions could therefore include decisions such as automatic refusals of an online
credit application or e-recruiting practices without any human intervention.

Automated decisions can only be made if:

• they are made by the importer in entering into or performing a contract with the data subject,
and the data subject is given the chance to discuss the results and make representations; or

• the law in the country of the data exporter permits particular automated decisions. In the UK
this would be under the GDPR and DPA 18. For more information on this, please see our Guide
to the GDPR.
Non-legally binding guidance

Annex B

→ ACTION: This Annex must be appropriately completed for the standard contractual clauses to
be an appropriate safeguard and allow restricted transfers of personal data under the GDPR.

Instructions for using the checklists:

To help you completing this Annex, we have provided optional checklists. These are just
suggestions. You do not need to use the checklists at all.

You can amend the contents of any category, as you consider best reflects the international
transfer of personal data, including to add specific details. If you do not fit into any of these types,
you may add your own description at the end of the checklist.

Data subjects
The personal data transferred concern the following categories of data subjects.

Each category includes current, past and prospective data subjects. Where any of the following is
itself a business or organisation, it includes their staff.

☐ staff including volunteers, agents, temporary and casual workers

☐ customers and clients (including their staff)

☐ suppliers (including their staff)

☐ members or supporters

☐ shareholders

☐ relatives, guardians and associates of the data subject

☐ complainants, correspondents and enquirers;

☐ experts and witnesses

☐ advisers, consultants and other professional experts

☐ patients

☐ students and pupils

☐ offenders and suspected offenders

☐ other (please provide details of other categories of data subjects):      

→ ACTION: The parties should list the categories of data subject.

Instructions: Think about who the personal data being transferred is about, and click in the box
next to all of the categories of data subjects which are included in the personal data being
transferred.
You may make appropriate amendments or add specific details to any of the categories or click the
“other” box and add your own categories at the end.

Purposes of the transfer

The transfer is made for the following purposes.

Standard business purposes, which apply to most businesses and organisations:

☐ Staff administration, including permanent and temporary staff, including appointment or

removals, pay, discipline; superannuation, work management, and other personnel matters in
relation to the data exporter’s staff.

☐ Advertising, marketing and public relations of the data exporter’s own business or activity,
goods or services.

☐ Accounts and records, including

 keeping accounts relating to the data exporter’s business or activity;

 deciding whether to accept any person or organisation as a customer;

 keeping records of purchases, sales or other transactions, including payments, deliveries or

services provided by the data exporter or to the data exporter;

 keeping customer records

 records for making financial or management forecasts; and

 other general record keeping and information management.

Other activities:

☐ Accounting and auditing services

☐ Administration of justice, including internal administration and management of courts of law, or

tribunals and discharge of court business.

☐ Administration of membership or supporter records.

☐ Advertising, marketing and public relations for others, including public relations work,
advertising and marketing, host mailings for other organisations, and list broking.

☐ Assessment and collection of taxes, duties, levies and other revenue.

☐ Benefits, welfare, grants and loans administration.

☐ Canvassing, seeking and maintaining political support amongst the electorate.

☐ Constituency casework on behalf of individual constituents by elected representatives.

☐ Consultancy and advisory services, including giving advice or rendering professional services,
and the provision of services of an advisory, consultancy or intermediary nature.

☐ Credit referencing, including the provision of information by credit reference agencies relating to
the financial status of individuals or organisations on behalf of other organisations.

☐ Data analytics, including profiling.

☐ Debt administration and factoring, including the tracing of consumer and commercial debtors
and the collection on behalf of creditors, and the purchasing of consumer or trade debts from
business, including rentals and instalment credit payments.

☐ Education, including the provision of education or training as a primary function or as a business

activity.

☐ Financial services and advice including the provision of services as an intermediary in respect of
any financial transactions including mortgage and insurance broking.

☐ Fundraising in support of the objectives of the data exporter.

☐ Health administration and services, including the provision and administration of patient care.

☐ Information and databank administration, including the maintenance of information or

databanks as a reference tool or general resource. This includes catalogues, lists, directories and
bibliographic databases.

☐ Insurance administration including the administration of life, health, pensions, property, motor
and other insurance business by an insurance firm, an insurance intermediary or consultant.

☐ IT, digital, technology or telecom services, including use or provision of technology products or
services, telecoms and network services, digital services, hosting, cloud and support services or
software.

☐ Journalism and media, including the processing of journalistic, literary or artistic material made
or intended to be made available to the public or any section of the public.

☐ Legal services, including advising and acting on behalf of clients.

☐ Licensing and registration, including the administration of licensing or maintenance of official

registers.

☐ Not-for-profit organisations’ activities, including:

 establishing or maintaining membership of or support for a not-for-profit body or association,

and

 providing or administering activities for individuals who are either members of the not-for-
profit body or association or have regular contact with it.

☐ Pastoral care, including the administration of pastoral care by a vicar or other minister of
religion.

☐ Pensions administration, including the administration of funded pensions or superannuation

schemes.

☐ Procurement, including deciding whether to accept any person or organisation as a supplier, and
the administration of contracts, performance measures and other records.

☐ Private investigation, including the provision on a commercial basis of investigatory services

according to instruction given by clients.

☐ Property management, including the management and administration of land, property and
residential property, and the estate management of other organisations.

☐ Realising the objectives of a charitable organisation or voluntary body, including the provision of
goods and services in order to realise the objectives of the charity or voluntary body.

☐ Research in any field, including market, health, lifestyle, scientific or technical research.

☐ Security of people and property, including using CCTV systems for this purpose.

☐ Trading/sharing in personal information, including the sale, hire, exchange or disclosure of

personal information to third parties in return for goods/services/benefits.
☐ Other purposes

(please provide details):      

→ ACTION: The parties should list the purposes for which the transfer of data is made

Instructions: Think about the personal data being transferred and why the data exporter and data
importer are making the transfer. Click in the box next to all of the purposes which apply.

You may make appropriate amendments or add specific details to any of the purposes or click the
“other” box and add your own purposes at the end.

Categories of data
The personal data transferred concern the following categories of data.

☐ Personal details, including any information that identifies the data subject and their personal
characteristics, including: name, address, contact details, age, date of birth, sex, and physical
description.

☐ Personal details issued as an identifier by a public authority, including passport details, national
insurance numbers, identity card numbers, driving licence details.

☐ Family, lifestyle and social circumstances, including any information relating to the family of the
data subject and the data subject’s lifestyle and social circumstances, including current marriage
and partnerships, marital history, details of family and other household members, habits, housing,
travel details, leisure activities, and membership of charitable or voluntary organisations.

☐ Education and training details, including information which relates to the education and any
professional training of the data subject, including academic records, qualifications, skills, training
records, professional expertise, student and pupil records.

☐ Employment details, including information relating to the employment of the data subject,
including employment and career history, recruitment and termination details, attendance records,
health and safety records, performance appraisals, training records, and security records.

☐ Financial details, including information relating to the financial affairs of the data subject,
including income, salary, assets and investments, payments, creditworthiness, loans, benefits,
grants, insurance details, and pension information.

☐ Goods or services provided and related information, including details of the goods or services
supplied, licences issued, and contracts.

☐ Personal data relating to criminal convictions and offences.

☐ Other (please provide details of other categories of data)      

→ ACTION: The parties should list the categories of personal data being transferred.

Instructions: Think about what the personal data being transferred is about and click the box next
to all of the categories of personal data which are being transferred

You may make appropriate amendments or add specific details to any of the categories or click
“other” and add your own categories at the end.
Recipients
The personal data transferred may be disclosed only to the following recipients or categories of
recipients.

The categories of recipients are:

☐ Central government

☐ Charitable and voluntary

☐ Education and childcare

☐ Finance, insurance and credit

☐ General business

☐ Health

☐ IT, digital, technology and telecoms

☐ Justice and policing

☐ Land and property services

☐ Legal and professional advisers

☐ Local government

☐ Marketing and research

☐ Media

☐ Membership association

☐ Political

☐ Regulators

☐ Religious

☐ Research

☐ Retail and manufacture

☐ Social care

☐ Trade, employer associations, and professional bodies

☐ Traders in personal data

☐ Transport and leisure

☐ Utilities and natural resources

☐ Other – Please add details:     

→ ACTION: The parties should list the recipients or categories of recipients to whom the importer
may forward or disclose the data.
These may be processors (eg service providers) or other controllers (eg legal advisers or
regulatory bodies).

Instructions: Think about what types of business or organisation the data importer might need to
pass on the transferred personal data to. Click in the box next to all the types of recipient which
apply.

You may make appropriate amendments or add specific details to any of the categories or click the
“other” box and add your own categories at the end.

Sensitive data
The personal data transferred concern the following categories of sensitive data.

Personal data which is on, which reveals, or which concerns:

☐ racial or ethnic origin

☐ political opinions

☐ religious or philosophical beliefs

☐ trade union membership

☐ genetic data

☐ biometric data (if used to identify a natural person)

☐ health

☐ sex life or sexual orientation

☐ criminal convictions and offences

☐ none of the above

→ ACTION:
Include a list of any of the categories of sensitive data which are being transferred:

For completeness, and to ensure the Clauses work under the GDPR, we have included the new
special categories of data added by the GDPR and criminal convictions and offences data.

Instructions: Think about the set of personal data being transferred and click the box next to any
which are included.
Registration information
Data protection registration information of the data exporter (where applicable)
→ ACTION:
Exporters in the UK are not required to register with the ICO.

Therefore, if you are a UK exporter, you do not need to fill in this section.
If the exporter is located in another EEA state, it will be able to advise you of its registration
information with its local data protection authority (if there is any).
Additional information
Additional useful information (storage limits and other relevant information)
→ ACTION: The parties may set out any other useful information.

For example, the parties may wish to agree a period of time for which the importer may store the
data.
Contact points for data protection enquiries
Contact points for data protection enquiries
→ ACTION: The exporter and the importer should provide a contact point for data protection
enquiries.
Data importer contact details:      
If the parties have data protection officers, these people may be the appropriate contact points.

You do not need to name individuals if you do not consider that to be appropriate. This can simply
be a job title or team, and a generic email. For example:
SCC Data Protection Officer: dataprotectionenquiries@sccs.com
Data exporter contact details: