This tool is for small and medium-sized businesses and organisations based in the UK who need to maintain the free flow of personal data into the UK from Europe, in the event the UK exits the EU without a deal.
How can this tool help me?
If you receive personal data into the UK from Europe, the tool will help you:
- decide whether SCCs can help you maintain the flow of data;
- select the right SCCs;
- understand the SCCs; and
- complete the SCCs.
What are the SCCs?
If someone in Europe (in the EEA) sends personal data to someone else who is outside the EEA, they must comply with GDPR rules on international transfers of personal data. The standard contractual clauses (the SCCs) are one of a number of 'safeguards' which can be used to comply, and the one most likely to be appropriate for small and medium-sized businesses.
The SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of the GDPR.
It is the EEA sender of the personal data which must comply with the GDPR rules, but UK receivers may want to assist those senders in complying, to make sure data continues to flow if we leave the EU without a deal.
SCCs are not the only safeguard. Our guidance on international transfers has more detail on alternatives.
When won’t this tool help me?
This tool aims to cover common issues and is designed to help you use the SCCs in straightforward cases where you won't need professional advice. Of course, any guidance cannot cover all eventualities, or complex or unusual cases. If you don't fit the questions, you aren't sure about your answer, or your answers indicate that there are more complex issues, you may need to read our detailed guidance on international transfers or seek professional advice. We have flagged this and linked to more detailed guidance where we think relevant.
If you are receiving personal data for a medical emergency or another compelling urgent reason where a one-off transfer of personal data is required, the sender may be able to rely on one of the exceptions and you will not need to use the this tool.
If you are a larger organisation or a multinational company, a data protection professional, or you have well-established transfer mechanisms, this tool may not suit your needs. You will find it more helpful to read our other guidance on leaving the EU and on international transfers.