Privacy & Data Protection

Standard Contractual Clauses and Personal Data Protection

Author: Preslav Baldzhiev

The competent authorities at the level of the European Union approach the personal data of natural persons with particular attention. The big step towards the protection of this type of information was made with the preparation and entry into force of Regulation (EU) 2016/679 (or the so-called “GDPR”), which unified the legislative regulation in this matter. In their desire to be as up-to-date, adequate, and comprehensive as possible, the European authorities further developed the regulation by drawing up Standard Contractual Clauses, the beginning of which can be traced back to the 1990s.

What are Standard Contractual Clauses?

Standard contractual clauses, as the name implies, are clauses that have been drawn up and approved by the European Commission (EC). They are not mandatory to apply, but any person dealing with the collection and processing of personal data may use them in their contractual relations.

On the one hand, such standard clauses aim to facilitate the negotiation process by reducing the commitment to create contracts regarding the collection and processing of personal data on a case-by-case basis. On the other hand, it ensures that the different subjects of personal data will be treated in the same way and that each natural person will benefit from the same amount of rights and protection.

In several places, as isolated opinions, claims can also be found that standard contract clauses violate the principle of “Freedom of Contract”. Such a view cannot be supported, above all, because of the protection of the public interest. Precisely because of this protection, standard contractual clauses fall within the exception to the above-mentioned principle, namely that parties can agree on anything that is not prohibited by law.

Types of Standard Contractual Clauses

Standard contractual clauses can be divided into two groups, taking into account the seat of the parties to the contract.

1. The first type of clauses (which you can familiarize yourself with here) covers relations between a Data Controller and a Data Processor, which are regulated within the framework of the European Economic Area (EEA). This means that they are only applicable when there is no transfer of data to third parties (outside the EEA). Their preparation is in accordance with the texts of Article 28, paragraphs 3 and 4 of Regulation (EU) 2016/679, and Article 29, paragraphs 3 and 4 of Regulation 2018/1725 (conditions for processing personal data through a Data Processor).

The competent authorities of the member states have an obligation to adopt similar standardized clauses – the difference with those drawn up and approved by the EC is that the regulations adopted by the national authorities will have effect only in the relevant territory. Another important difference is that “European” clauses can only be challenged before the Court of Justice of the European Union (CJEU).

2. The second type of the clauses (which you can find here) is applicable to the transfer of personal data outside the EEA. This type of clauses has a more protective function – that is, their purpose is to guarantee to the maximum extent the legal rights and interests of individuals whose personal data is transferred (according to European Union protection standards). By their nature, they are not something new, on the contrary – they build on three previous sets of standard clauses that regulate the same matter (in an attempt to make the legislation fit the digital reality). With the expiration of the transitional period (which was until 28.12.2022), the previous three sets are no longer applicable.

The current data transfer clauses are divided into five sections:

  • General Provisions – includes clauses that are always applicable;
  • Module 1 – transfer from Data Controller to another Data Controller;
  • Module 2 – transfer from Data Controller to Data Processor;
  • Module 3 – transfer from Data Processor to Subcontractor;
  • Module 4 – transfer from Data Processor to Data Controller.

Modules 1-4 (all points except “General Provisions”) are of an alternative – that is, the parties must determine which of the personal data transfer hypotheses they fall under and include the relevant clauses.

Rights of the subjects of personal data on transfer

As already mentioned, the purpose of standard contractual clauses is to guarantee and secure the rights and legal interests of natural persons, according to European Union standards (or in other words, those standards provided for in the GDPR). Along with them, several new obligations of the parties using the standard clauses are added (this, in turn, leads to expanding the rights of natural persons):

  • Natural persons whose Personal data are transferred should be notified of this transfer;
  • The Data Controller and/or the Data Processor should familiarize the subject of personal data with the applicable clauses free of charge (express referral is also allowed);
  • In the event that the subject of personal data cannot understand the information provided, he/she has the right to receive additional clarifications from the Data Controller and/or the Data Processor;
  • The subject of personal data may submit a complaint to the importer of personal data or to a Dispute Resolution Authority;
  • The subject of personal data may submit a complaint to a competent national authority (relative to the present address) or seek judicial protection;

Application of the Standard Contractual Clauses

To be enforceable, the Standard Contractual Clauses should be included in a contract. At the European level, no specific form is provided for its conclusion – this means that the provisions of national legislation and international private law are applicable.

Clauses should be included as they are worded – any deviation from the official translation will render the clause “non-standard”

It is permissible to include other clauses in the contract as long as they do not contradict the standard clauses. Added clauses, however, do not have the same value as standard clauses.


As can be seen from the entire exposition, the standard contractual clauses governing the transfer of personal data outside the EEA have greater applicability. Thanks to them, the rights and legitimate interests of citizens of the European Union are guaranteed in the way they would be protected within the Community. Such engagement of the European Commission provides, above all, a facility for Data Controller, Data Processors, and natural persons by establishing a uniform regime of regulation.

This material prepared by Preslav Baldzhiev aims to provide more information about the metaverse. It does not constitute a legal opinion and cannot be interpreted as individual consultation on any concrete facts or circumstances. The advice of a specialist should be obtained for specific questions and situations. For more information on the above-mentioned issues and individual consultations, please contact the team of the law firm of Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form on the website. Since 2017 Preslav Baldzhiev has graduated Sofia University “St. Kliment Ohridski “, having previously graduated from the High School of mathematics and natural science “Acad. Nicola Obreshkov” in Burgas. In February 2020 he took a course for industrial property representatives at the Patent Office of the Republic of Bulgaria in the field of trademarks, geographical indications, and industrial designs. He is interested in intellectual property, personal data protection, commercial and law on obligations and contracts and also regularly attends conferences, practical courses, seminars, and webinars.

error: Content is protected !!