If you are a small and medium-sized business or organisation based in the UK who needs to maintain the free flow of personal data into the UK from Europe, in the event the UK exits the EU without a deal, you should consider using standard contract clauses (SCCs).

If a business or organisation in Europe (in the EEA) sends personal data to another business or organisation who is outside the EEA, they must comply with GDPR rules on international transfers of personal data. The SCCs are one of a number of 'safeguards' which you can use to comply, and the one most likely to be appropriate for small and medium-sized businesses.

The SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of the GDPR.

If this applies to you, you should consider the following:

1. Do I need to use standard contractual clauses (SCCs) for transfers from the EEA to the UK (if we leave the EU with no deal)?

Use this tool to decide whether SCCs can help you maintain the flow of data and decide whether you are making a controller-controller or controller-processor transfer.

2. What SCCs should I use to transfer personal data from the EEA to the UK?

Use one of these templates to build a contract using SCCs to transfer personal data from the EEA to the UK.

Using the templates means you will be complying with the GDPR’s rules on an appropriate safeguard for restricted transfers.

Depending on the type of transfer you are making, you will use either the controller to controller template or the controller to processor template. If you are not sure which template to use, you should work through the questions in our interactive tool above and it will then direct you to the relevant contract builder.

 3. What do I need to do to transfer personal data from an EEA based processor to my UK based organisation?

If the sender is a processor which has its controller also located in the EEA, the simplest way to comply is for the EEA controller to enter into the standard contractual clauses with you. There are currently no EU Commission approved standard contractual clauses for transfers outside the EEA by a processor.