Transfer Mechanisms FAQ

Frequently asked questions regarding Transfer mechanisms and data processing


Q: Why does a DPA need to be structured around Standard Contractual Clauses now?  

A: Standard contractual clauses (SCCs) are a key way to ensure the lawful and secure transfer of personal data from within the European Economic Area (EEA) to "third countries" (non-EEA countries). 

With the downfall of the Privacy Shield framework in July 2020, SCCs represent the most appropriate safeguard for most personal data transfers from the EEA to the United States. SCCs are a means of helping people in the EEA maintain their rights and control over their personal data even once it leaves the EEA. 

What this means: A safe way to ensure that data is processed and handled with care, in countries outside the EU, this provides a legal basis that ensures this.  


Q: What are the advantages of using SCC? 

A: SCCs are easy to use and virtually remove the need of negotiating individual contractual terms or adopting Binding Corporate Rules (BCR), which is another method of transferring data to a third country which has been marginally adopted in practice. 

The clauses are intended to provide standardised clarity about benchmarks and requirements for data protection between data exporters and importers. The EU Commission has approved standard wording, and supervisory authorities in member states (Datatilsynet in our case) have created and approved versions reflecting the same level of protection. 

What this means: The terms of these contracts are the same for all - meaning it eliminates the need for altering anything else than the appendices.  


Q: What is a transfer mechanism? 

AskCody offers its services globally, and use of our services involves transfers of personal data. For example, customers can log in to our services and manage their data from anywhere in the world. Under European privacy laws, personal data cannot be transferred outside of the EU to organizations that are located in third countries, unless (I) the importing country has been deemed adequate (aka, having same data security standards as inside the EU) or (II) the data exporter has appropriate safeguards in place to ensure that the personal data transferred is subject to an adequate level of data protection. At AskCody, we have implemented the following transfer mechanisms:  

  • Standard Contractual Clauses  
  • Supplementary Measures. 

See our full response on this topic here.  


Does the SCC apply to third party sub-processors? 

Yes, AskCody has DPA’s based on SCC in place for all our sub-processors, plus our own DPA with all our customers are based on SCC.  


What are the Standard Contractual Clauses?  

The Standard Contractual Clauses are legal contracts entered into between contracting parties who are transferring personal data outside of Europe. The original controller to processor Standard Contractual Clauses were drafted and approved by the European Commission in 2010. In June 2021, the European Commission published the 2021 SCCs. A copy of the 2021 SCCs is available here and you can also find additional information on the 2021 SCCs on the official website of the European Commission.