Module 7 · Appropriate safeguards: SCCs, BCRs & codes
Used when there is no adequacy decision, appropriate safeguards bind the recipient to an EU standard. Standard Contractual Clauses (SCCs) are the most commonly used: Commission-approved, non-negotiable model clauses, upheld in Schrems II, with 2021 modular versions covering four module types. Companies must still run a case-by-case assessment (a Transfer Impact Assessment) and add supplementary measures or suspend. Binding Corporate Rules (BCRs) cover intra-group transfers (minimum requirements in Article 47). Approved codes of conduct and certification, ad hoc contractual clauses (need SA authorisation) and international agreements (e.g. PNR) round out the toolkit.
When there is no adequacy decision, you bind the recipient contractually or organisationally to an EU standard. There is a menu of appropriate safeguards.
| Mechanism | What it is | Key feature / authorisation |
|---|---|---|
| Adequacy decision | Commission finds country essentially equivalent | No additional safeguards needed |
| Standard Contractual Clauses (SCCs) | Commission-approved model contract clauses | Non-negotiable; most commonly used; 2021 modular (4 modules); needs a TIA |
| Binding Corporate Rules (BCRs) | Internal legally-binding rules for a corporate group | Intra-group only; approved by an ; minimum requirements in Article 47 |
| Codes of conduct / certification | EDPB-reviewed schemes with accredited monitoring | Must be binding and enforceable; certs valid up to 3 years |
| Ad hoc contractual clauses | Tailored bespoke clauses | Require SA authorisation |
| International agreements | State-level arrangements, e.g. PNR EU–US | Relied on where they exist |
| Article 49 derogations | Narrow exemptions for specific situations | Last resort; narrowly interpreted |
- The 2021 modular SCCs cover four modules: controller→controller, controller→processor, processor→processor, processor→controller.
- After Schrems II, SCC users must do a case-by-case assessment (the Transfer Impact Assessment) and add supplementary technical/contractual measures, or suspend the transfer, if destination law is not essentially equivalent.
- BCRs confer enforceable rights on data subjects and have separate versions for controllers and processors.
- Codes/certification can also help demonstrate Article 25 (data protection by design) compliance (EDPB Guidelines 04/2021; GDPR-CARPA).
Encryption alone is a supplementary measure, not a transfer mechanism. The Transfer Impact Assessment is an industry term, not EDPB/Commission terminology. And public interest is a derogation, not an appropriate safeguard.