SaaS Agreements – Data Protection – New EU Standard Contractual Clauses

On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data from the EU to countries outside the EU/EEA (third countries) when the old SCCs (old SCCs) are repealed on the 27th of September 2021. Below is a summary of the changes and measures that SaaS suppliers and SaaS customers need to take to adapt and implement the new SCCs.

What are EU Standard Contractual Clauses

EU standard contractual clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection for the transfer of personal data to a third country. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor.

Where personal data is transferred from:

  • A data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
  • A SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU standard contractual clauses with the SaaS customer or SaaS sub-processor, as applicable.

When EU standard contractual clauses are included in a SaaS agreement, no specific consent will need to be obtained from individual data subjects to the transfer to the third country.

When must the new SCCs be used?

SaaS suppliers and SaaS customers can continue using the old SCCs until the 27th September 2021. From the 27th of September 2021 all new agreements with customers, suppliers (including inter-company agreements) must use the new SCCs. For all agreements already existing on the 27th of September 2021, SaaS suppliers and SaaS customers have until the 27th of December 2022 to replace the old SCCs with the new SCCs.

How are the new SCCs different?

The new SCCs cover 4 different types of transfers:

  • controller to controller;
  • controller to processor;
  • processor to processor;
  • processor to controller.

SaaS suppliers and SaaS customers must adapt and customise the 4 modules as required for each customer, supplier or inter-company data transfer, as applicable.

No separate DPA required

The new SCCs include all of the provisions that must be included in a written data processing agreement under Article 28 of the GDPR. This means that the new SCCs can be used without the need for any additional DPA. However, SaaS suppliers and SaaS customers may still want to have an overarching data transfer agreement that the new SCCs form a part of, in appropriate cases, as the new SCCs have very onerous provisions that should only apply to transfers of EU data.

Obligations of the Parties

Each of the 4 modules sets out the different data protection obligations of the parties which will need to be customised for each applicable module or deleted if a module does not apply.

Security Measures

Specific technical and organisational measures (TOMs) must be described in Annex II of the new SCCS, clearly indicating which specific measures apply to each transfer.

Competent Supervisory Authority

The data importer agrees to accept the authority of the competent supervisory authority, respond to its enquiries, comply with the measures adopted by the authority and submit to audits by the authority.

The supervisory authority of the data exporter, not the data importer will be the competent supervisory authority.

Where the data exporter is not located in the EU, but subject to the GDPR the supervisory authority will be that of:

  •  the country in which their EU representative is established; or
  • the EU country in which the data subjects whose personal data is transferred are located, where no EU representative is required under the GDPR.

Local Law Assessment and Documentation

The data exporter and data importer must warrant that they have completed an assessment of the local laws in the third country to which EU personal data will be transferred, and that they have no reason to believe that such laws would prevent the importer from complying with its obligations under the new SCCs.

The parties must document this assessment (known as a “Schrems II assessment”) and make the assessment available on request, to a data protection supervisory authority.

Access by Public Authorities

Data importers must comply with the contractual obligations set out in the new SCCs if they receive a binding request from a public authority for disclosure of personal data. This includes notifying the data exporter, documenting responses and requests, providing periodic reporting to the data exporter, and challenging requests, if the data importer determines that any access request is unlawful.

Third Party Beneficiaries

Data subjects can make direct claims and complaints against the data importer for breaches of the new SCCs.


The data exporter and data importer are jointly and severally liable for breaches of the new SCCs. Each party is also liable to the other and data subjects for breaches of the new SCCs.

Onward Transfers

These are only permitted where the third party receiving the personal data signs the new SCCs or is established in a country that is “adequate”, such as the UK.

Implementing the New SCCs

In order to implement the new SCCs SaaS suppliers and SaaS customers need to:

  • carry out a data mapping exercise to identify all data transfers;
  • carry out a Schrems II assessment;
  • review and amend the technical and organisational measures used for protecting personal data transferred to third countries;
  • identify and review all existing contracts and template agreements that involve the transfer of personal data to a third country;
  • adapt and customise the new SCCs and their Annexes for transfers to and from customers, suppliers and inter-group companies;
  • use the new SCCs for all new contracts entered in from 27th of September 2021;
  • replace the old SCCS with the new SCCS in all existing contracts by the 27th of December 2022.


Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

To register for my newsletter click here


Other related articles: