New Modules on The Export of Data to Non- EU Countries.

(EC Decision of 4th of June 2021, Regulations EU 2016/679 and EU2018/1725)

The European Commission, with its Implementing Decision 2021/914 of 4th of June 2021, forces the implementation, across all Member States, of Four Modules of Standard Contractual Clauses (SCC) (hereinafter referred to as the “Clauses”) to ensure uniform compliance with Regulation (EU) 2016/679 for the transfer of personal data to a third country.

Implementing Decisions take precedent over national legislation; therefore, in the event of a contradiction between the Clauses and the provisions of related agreements between the Parties, already in place, the Clauses will prevail.

Parties are identified as:

  • The Natural/legal Persons, public authorities, agencies and/or other bodies transferring the personal data, (hereinafter referred to as the “Data Exporter”) and
  • The Entities in a third country receiving the personal data, directly or indirectly from the Data Importer, via an entity also party to the Clauses (hereinafter referred to as the “Data Importer”).

In general, with some exceptions, the Data Subjects can invoke and enforce the Clauses (without prejudice to their rights derived from the EU 2016/679), as Third-Party Beneficiaries against the Data Exporter and/or the Data Importer.

The Modules are detailed in Section II of the Annex to the Implementing Decision and are summarized below.

ModulesController to controllerController to processorProcessor to processorProcessor to controller
Instructions: processing only on documented instructions fromN/AData ExporterControllerData Importer acting as controller
Purpose:  processing of personal data only to occur for the specific purpose(s) of the transfer as these set out in Annex I.B.YesYesYesYes
Principles of lawful and secured processing apply and the Data Importer must approve the compliance and implementation of the same.YesYesYesN/A
Onward Transfers: allowed only if the third party agrees/is bound by the Clauses; otherwise, the provisions of Articles 45-47 of EU 2016/679 prevail.YesYesYesN/A

The clauses also extend to the use of sub-processors as outlined below:

  1. Authorisation procedures: Applicable for a) Transfer Controller to Processor and b) Transfer Processor to Processor.

There are two available options:


  • The Data Importer shall not sub-contract any of the processing activities without the Data Exporter’s prior specific authorization.
  • Submission of request for specific authorization at least [the period must be specified] prior to the engagement of the sub-processor.


  • The Data Importer has the Data Exporter’s general authorization for the engagement of sub-processors from an agreed list.
  • Data Importer shall inform the Data Exporter for any intended changes to that list [the period must be specified] in advance.
  • Exercise of Data Subjects’ Rights:

The following obligations are imposed:

Transfer Controller to Controller

  • The Data Importer shall deal with any enquiries and/or requests without undue delay.

Transfer Controller to Processor

  • The Data Importer shall notify the Data Exporter of any request it has received and assist the latter in fulfilling its obligations.

Transfer Processor to Processor

  • The Data Importer shall promptly notify the Data Exporter and the Controller (where appropriate) of any request received and without responding to that request unless it has been authorized to do so by the Controller.

Transfer Processor to Controller

  • The Parties shall assist each other in responding to enquiries and requests made by Data Subjects under the local law applicable to the Data Importer or, for data processing by the Data Exporter in the EU, under Regulation (EU)2016/679.

Next steps

The purpose of the Clauses is to help companies legitimise the transfer of personal data originating in the EEA to third countries whose data protection laws have not been found by the European Commission to offer adequate protection to Data Subjects.  Many of their provisions align with GDPR requirements. Impacted companies now have a transitional period of 18 months from the date the Clauses come into force (27 June 2021) to replace all existing standard clause contracts with them. Whilst this may seem a generous timeframe it will still involve significant work for many companies in the coming months. Additionally, organisations should be aware that whilst they may continue to use the current standard clauses, including for new transfers, this concession is only for a maximum 3-month period from 27 June 2021.

Elias Neocleous & Co LLC., has an extensive Data, Privacy and Cybersecurity Department which would be pleased to assist you in managing this change.  For more information, please speak with a member of our Data, Privacy and Cybersecurity Department at [email protected] and/or reach out to your usual contact at Elias Neocleous & Co LLC.