1. Access to personal data from another jurisdiction could constitute a transfer.

2. Availability to intragroup transfers, as well as to transfers to external parties.

• expand_more

  EU SCCs

  Under the EU General Data Protection Regulation, the concept of "transfer" is broad, as it also applies in the case of remote access to personal data.

  Controllers and processors can apply EU SCCs to transfer data to third parties as well as in intragroup scenarios.

• expand_more

  PRC Standard Contract

  Although the term "export" is not clearly defined in China's Personal Information Protection Law, certain guidelines issued by the authorities suggest the following circumstances will be deemed data transfers:

  1. A controller transfers the data collected and generated in its domestic operations offshore.
  2. A controller stores the data collected and generated in its domestic operations offshore.
  3. The data collected and generated by the controller is stored within China, whereby offshore organizations or individuals may access, retrieve, download or extract it.

  The PRC Standard Contract can apply to intragroup transfers as well as transfers to third parties.

• expand_more

  ASEAN MCCs

  Although "transfer" is not expressly defined in the ASEAN MCCs, the illustrations provided in the framework suggest access to personal data from a third jurisdiction could constitute a transfer.

  The ASEAN MCCs are a voluntary mechanism available to any organization within the ASEAN transferring personal data to another organization in a different ASEAN country. The MCC provisions are modular, meaning they can be adapted at will, so long as the data exporter and importer adhere to applicable data protection laws including any transfer requirements and/or restrictions imposed upon them in their own territories.

  The ASEAN MCCs can apply to intragroup transfers, as well as transfers to third parties.

3. Standards contracts are one among many available legal transfer mechanisms.

• expand_more

  EU SCCs

  The EU SCCs are one of the legal mechanisms available under the GDPR that parties may rely upon to ensure the lawful transfer of personal data to a third country that does not provide adequate levels of personal data protection compared to the EU framework. Generally, EU SCCs are available to all controllers and processors who wish to sign and implement them, provided they can adhere to the provisions in practice.

• expand_more

  PRC Standard Contract

  The PRC Standard Contract is one of the legal mechanisms available under the PIPL that parties may rely upon to transfer personal data originating from China to a third country, provided that the following criteria are met. To rely on the PRC Standard Contract for personal data export activities, a controller must satisfy all the requirements below. Otherwise, the controller will be subject to the security assessment organized by the government authority.

  1. The controller must not be a critical information infrastructure operator, which refers to the operators of network facilities and IT systems that are critical to national security and/or public interest. Typically, CIIOs are involved in industries that raise national security and public interest concerns, such as utilities, transportation, finance, public service and national defense.
  2. The volume of the personal data processed by the controller must be less than that of one million individuals.
  3. It has not exported cumulatively more than 100,000 individuals' personal data since 1 Jan. of the preceding year.
  4. It has not cumulatively exported more than 10,000 individuals' sensitive personal data since 1 Jan. of the preceding year.
• expand_more

  ASEAN MCCs

  The ASEAN MCCs can be adapted and used for data transfers within the ASEAN. This would satisfy any member state laws that recognize a data transfer agreement or contract as one of the ways an outbound transfer can be lawfully carried out. However, where any member state has requirements that contradict the MCCs, for instance if there is data localization which requires data is only processed and stored in-territory, the local law requirement will prevail.

1. No changes are allowed/changes are allowed.

2. A description of the personal data transfers must be provided/or not.

• expand_more

  EU SCCs

  The text of the EU SCCs is not amendable, except to select modules and/or specific options offered in the text, complete the text where necessary, fill in the annexes, or add additional safeguards that increase the level of protection for the data. Optional elements of the SCCs include a docking clause that allows additional parties to join the contract in the future or an additional redress clause that allows data subjects to lodge complaints with an independent dispute resolution body at no cost.

  The parties can incorporate the EU SCCs into broader commercial contracts so long as the other contractual provisions do not contradict the provisions in the EU SCCs, either directly or indirectly, or prejudice the rights of data subjects.

  Details about the transfer must be provided, including the categories of personal data, categories of data subjects, retention periods, as well as, where applicable, the list of subprocessors and the supplementary technical and organizational measures identified.

• expand_more

  PRC Standard Contract

  The text of the PRC Standard Contract is not amendable and must be strictly followed, though the parties will be able to fill in the applicable blanks and select the dispute resolution mechanism. Additional provisions, that do not contradict the PRC Standard Contract, agreed between the parties can be added to the PRC Standard Contract in a separate appendix.

  The PRC Standard Contract is a standalone contract. The parties will be able to refer to the commercial contract in the preamble.

  Details about the export need to be included, including the purpose and method of export, the type and volume of the personal data being exported, the details on onward transfers by the offshore recipient, the transmission method, the offshore retention period, and the location of storage; the security and organizational measures to be taken by the offshore recipient; and the point of contact of the offshore recipient to respond to data subject inquiries.

• expand_more

  ASEAN MCCs

  There are additional optional modules offered in the MCCs which parties can choose to include in their final executed agreement.

1. A modular approach is accepted/promoted.

• expand_more

  EU SCCs

  EU SCCs are designed for four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.

• expand_more

  PRC Standard Contract

  The PRC Standard Contract applies to all personal data export activities by controllers only. Unlike the EU SCCs, it does not differentiate controller-to-controller or controller-to-processor transfers, nor does it apply to data transfers by a processor.

• expand_more

  ASEAN MCCs

  The ASEAN MCCs are designed for two possible scenarios: C2C and C2P transfers.

1. A risk assessment must be conducted prior to the transfer.

2. The assessment includes an evaluation of the third country’s legal framework.

3. The assessment should be transfer specific and consider whether the transfer is necessary.

4. A risk-based approach is adopted generally.

5. Additional measures may have to be included to ensure an adequate protection.

6. Monitoring obligations apply.

• expand_more

  EU SCCs

  What is a data transfer impact assessment?
  A DTIA helps ensure EU SCCs will provide appropriate safeguards and effective and enforceable rights for individuals. It involves a detailed assessment of the laws and practices of the third country of destination. As part of the DTIA, parties should assess the risks related to the transfer, such as the risk of public authorities accessing personal data, as well as the possibility for data subjects to effectively enforce their rights. If the assessment determines the personal data is insufficiently protected by the safeguards provided under the EU SCCs, then supplementary measures should be adopted to address the deficiencies identified.

  Country assessment
  Data exporters are required to assess if there is anything in the law and/or practices of a third country that may impinge on the effectiveness of the appropriate safeguards being relied upon and in the context of the specific transfer.

  Specific circumstances of the transfer and necessity test
  The DTIA should be transfer-specific and consider whether the transfer meets the necessity test. The EU SCCs require the parties to consider the specific circumstances of the transfer. Examples include the length of the processing chain, the number of actors involved, the transmission channels used, intended onward transfers, and the type of recipient.

  Is it a risk-based approach?
  Even if in a footnote, the EU SCCs allow data exporters to take a risk-based approach when conducting the DTIA. When assessing the impact of the laws and practices on compliance with the EU SCCs, the data exporter can take into account “relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time frame.” However, these elements should be part of an overall assessment and, when they are used to justify the transfer, the conclusion should be supported by other relevant, objective elements.

  Additional measures
  If a third country's legislation cannot guarantee a level of protection that is equivalent to the one provided under the EU framework, then technical, contractual, i.e., additional clauses, and organizational measures, i.e., specific policies and procedures, can also be put in place to address deficiencies identified in the DTIA.

  Monitoring
  The EU SCCs do not contain specific provisions for when a DTIA must be redone.

  However, in its January 2020 recommendations, the European Data Protection Board stated data exporters must monitor, on an ongoing basis, developments in the third country to which they have transferred personal data when such developments could affect the assessments they made and the decisions they took.

• expand_more

  PRC Standard Contract

  What is a personal information protection impact assessment?
  As required by the PIPL, a PIPIA is the precondition of carrying out any personal data export activities. A PIPIA on data exports shall include:

  • The legitimacy and necessity of the purpose, scope and method of the processing by the controller and the offshore recipient.
  • The volume, scope, type and sensitivity of the personal data being exported, and the risks associated with the export on the data subjects' rights and interests.
  • The undertakings of the offshore recipient, and the effectiveness of the technical and organizational measures taken by the offshore recipient in terms of safeguarding the personal data.
  • The risk of a data breach after the export of personal data, and whether an effective mechanism has been established to protect the data subjects' rights and interests.
  • The legislative environment of foreign jurisdictions where the offshore recipient is located, and how it may impact the performance of the PRC Standard Contract.
  • Other matters that may influence the security of personal data in the context of a data export.

  Evaluation on the legislative environment of foreign jurisdictions
  Under the PRC Standard Contract, both the controller and the offshore recipient are obligated to evaluate whether the legislative environment of the foreign jurisdiction where the offshore recipient is located may impair the offshore recipient's performance of the PRC Standard Contract.

  The PRC Standard Contract also sets forth the detailed aspects to be considered for the evaluation, including the export details, prior experience of the offshore recipient, and policies and legislations of the foreign jurisdiction. The assessment on foreign jurisdictions should be included in the PIPIA report.

  Necessity of export
  A critical part of the PIPIA is to justify and demonstrate in the report the necessity of the personal data export, which is the fundamental requirement of exporting personal data under the PIPL. The factors to consider typically include the nature of the data subjects, the types of data being exported and the purpose of the export.

  Is it a risk-based approach?
  The offshore recipient's prior experience with similar exports or requests from public authorities to access personal data should be taken into account during the evaluation discussed in the second point above.

  Additional Measures
  The specific technical measures to be taken by the offshore recipient should be added to the PRC Standard Contract. The controller has the obligation to use reasonable efforts to ensure those measures have been taken by the offshore recipient.

  Monitoring
  Unlike the EU SCCs, the PRC Standard Contract contains specific requirements on when a PIPIA must be redone.

  The parties are required to redo the PIPIA, amend or re-sign the PRC Standard Contract and make a new filing if there is:

  • Any change in the purpose, scope or types of personal data being exported; any change of the method of the export or the location of storage; or any change in the offshore recipient's usage, method of processing or retention period.
  • Any change in the foreign legislation or policy that may impair the rights and interests of the data subjects.
• expand_more

  ASEAN MCCs

  No transfer risk assessment is required.

  Additional measures
  The ASEAN MCCs provide that the data exporter must ensure the importer has reasonable and appropriate technical, administrative, operational and physical measures in place that are consistent with applicable data protection laws. However there are no requirements for parties to assess and put these measures in place over and above what the contractual language stipulates.

  Monitoring
  There are no monitoring requirements prescribed under the ASEAN MCCs.

1. Do the standards clauses require the reporting of personal data breaches?

• expand_more

  EU SCCs

  The EU SCCs require data importers to take measures to address data breaches and mitigate their adverse effects. The EU SCCs also require data importers to report data breaches, with varying reporting obligations depending on the module and the level of risk arising from the breach.

  In the C2C module, the data importer must notify the data exporter and the competent supervisory authority if the breach is likely to result in a risk to the rights and freedoms of individuals as well as the data subjects if the likelihood of such risk is high. In the C2P and processor-to-processor modules, the data importer must notify the data exporter (and its data controller in the P2P module, if feasible), and assist the data exporter in complying with its own notification obligations. In the P2C module, when a data breach happens at the data exporter's level, it is the data exporter who must notify and assist the data importer.

• expand_more

  PRC Standard Contract

  In case of data breaches, the PRC Standard Contract requires the offshore recipient to promptly take remedial actions and mitigate the impact on the data subjects; notify the breaches to the controller and the supervising authority, and, if required by the law, the data subjects directly; and keep records on the breach and the remedial actions. The notice to the controller and supervising authority should include:

  • The types of personal data affected by the breach, the cause, and potential consequences and impact.
  • The remedial actions being taken.
  • The remedial actions that could be taken by the controller to mitigate the loss.
  • The contact of the person or team responsible for dealing with the breach.

  In cases where the offshore recipient is an entrusted party, i.e., similar to C2P transfers under the GDPR, the notices to data subjects must be delivered by the controller.

• expand_more

  ASEAN MCCs

  Yes, but through an optional module only.

  The ASEAN MCCs require the data importer to notify the data exporter of any data breaches it becomes aware of, and parties have the option to determine the period in which this is done, for instance, without undue delay or within a reasonable time specified by the parties.

1. Specific conditions must be met for onward transfers.

• expand_more

  EU SCCs

  An onward transfer may only take place if the data importer meets certain conditions, which vary depending on the module.

  For instance, specific grounds for the transfer should be identified. Grounds for the C2C, C2P and P2P modules include, for example) the third-party being bound by the EU SCCs;) the third country benefiting from an adequacy decision; or the onward transfer being necessary for specific reasons, e.g., to establish, exercise or defend legal claims, to protect the vital interests of individuals, etc. Additional grounds are available only for the C2C module, such as obtaining the explicit consent of the data subject.

• expand_more

  PRC Standard Contract

  An onward transfer may only take place if all the following requirements are met:

  • Necessity in terms of business
  • Sufficient notice to the data subjects on the onward transfers, to the extent required by the law.
  • Proper consent from the data subjects if the processing is based on consent.
  • Written agreement with the third-party recipient, ensuring that such recipient could meet the standard of protection required by the PRC laws.
  • Data subjects have the right to request a copy of the agreement with the third-party recipient.
• expand_more

  ASEAN MCCs

  The ASEAN MCCs provide a module to address any onward transfers.

  The data importer must only carry out an onward transfer after notifying the data exporter of this in writing and giving the exporter a reasonable opportunity to object. The importer also must ensure any third-party recipient is bound by the same obligations as those that the data importer owes to the data exporter.

1. The standards provide for the possibility/obligation to suspend the transfer in case the protection afforded to personal data is not effective.

• expand_more

  EU SCCs

  Under the EU SCCs, the data exporter must suspend the data transfers if the data importer breaches or is unable to comply with its obligations under the EU SCCs, or if the data exporter is instructed to do so by the competent supervisory authority or the data controller, in the P2P module.

  In the event of suspension, the data exporter may be entitled to terminate the contract with the data importer. To do so, one of the termination grounds must be present, such as if the suspension exceeds a reasonable time, one month in any event and if the data importer is in substantial or persistent breach.

• expand_more

  PRC Standard Contract

  Under the PRC Standard Contract, the controller may suspend the export of personal data if the offshore recipient violates its contractual obligations under the PRC Standard Contract or if a change in policy and legislation of the jurisdiction where the offshore recipient is located results in the recipient's failure in performance of the PRC Standard Contract.

  In addition, if the suspension lasts for more than one month, the controller has the right to terminate the PRC Standard Contract.

• expand_more

  ASEAN MCCs

  The ASEAN MCCs stipulate that if the data importer is in breach of its obligations, either under the MCCs or applicable law, then the data exporter is entitled to temporarily suspend the transfer of data until the breach is repaired or processing under the agreement is terminated.

• expand_more

  EU SCCs

  There is no requirement to file the EU SCCs nor to retain the DTIA for a specific amount of time.

• expand_more

  PRC Standard Contract

  The executed PRC Standard Contract and the PIPIA report on the personal data export must be filed with the provincial Cyberspace Administration of China within 10 working days after the PRC Standard Contract takes effect. All documents must be written in Chinese.

  The PIPIA report must be retained for at least three years.

  Note that the measures on PRC Standard Contract will take effect 1 June, and a six-month grace period is granted to existing export activities.

• expand_more

  ASEAN MCCs

  There is no requirement to register the ASEAN MCCs, although, in principle, if a data exporter is required under local law to file a transfer agreement with a local authority, it can do so using the MCCs in their executed form.

1. Obligation to identify a local governing law.

2. Obligations in relation to competent forum.

• expand_more

  EU SCCs

  The governing law must allow for third-party beneficiary rights and, in most cases, it must be the national law of a European Economic Area country. The parties can only specify the national law of an EEA or non-EEA country in the P2C module.

  Similar rules apply when choosing the competent forum, i.e., the obligation to identify the courts of an EEA country in most cases. However, a data subject may also bring legal proceedings before the courts of the EEA country of their habitual residence.

  TEXT

• expand_more

  PRC Standard Contract

  The PRC Standard Contract must be governed by the PRC laws.

  The parties to the PRC Standard Contract may choose a Chinese court or an international arbitration tribunal under the New York Convention as the mechanism of dispute resolution.

  Data subjects, as the third-party beneficiaries, may bring legal claims in Chinese courts.

• expand_more

  ASEAN MCCs

  Parties are free to choose the governing law of the ASEAN MCCs, among the 10 member states.

  Parties are free to choose the forum of dispute resolution.

1. Organizations will need to work with local supervision (with some exceptions).

• expand_more

  EU SCCs

  In most cases, the EU SCCs require the identification of an EEA data protection authority, determined based on the territorial scope of the data exporter.

  In the C2C, C2P and P2P modules, the parties must designate the supervisory authority competent for the data exporter's compliance with the GDPR, if the exporter is established in the EEA; the supervisory authority of the representative's establishment, if the data exporter is not established in the EEA but has appointed a representative; or the supervisory authority of one of the EEA countries where the data subjects' data is transferred are located, if the data exporter is not established in the EEA and has not appointed a representative. There is no requirement to identify an EEA supervisory authority for the P2C module. The EU SCCs also allow data subjects to lodge a complaint with the EEA data protection authority in the country of their habitual residence or place of work.

• expand_more

  PRC Standard Contract

  Under the PRC Standard Contract, the supervisory authority refers to the provisional and state CAC.

  Notably, by signing the PRC Standard Contract, the offshore recipient accepts the supervision and administration of the CAC, including, but not limited to, answering inquiries, cooperating with inspections, complying with measures taken or decisions made by the CAC, and providing written certificates as requested.

• expand_more

  ASEAN MCCs

  The ASEAN MCCs are silent on any supervisory authority, as they are voluntary in nature and local data protection laws will continue to apply to the respective parties.

International Data Transfers topic page
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
View here

EU Standard Contractual Clauses
On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP created documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document.
View here

Global data transfer contracts
This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.
View here

Global adequacy capabilities
This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards.
View here