ElyForma

Standard Contractual Clauses Guide

Standard Contractual Clauses Guide South Africa

Standard contractual clauses are pre-drafted privacy and data-protection clauses used in contracts to help regulate the transfer, sharing, and handling of personal information. In South Africa, they are most relevant when personal information is sent outside the Republic or shared with foreign service providers, cloud platforms, group companies, or other overseas recipients. POPIA section 72 says personal information may only be transferred outside South Africa in limited circumstances, including where the recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection and effectively upholds principles substantially similar to POPIA. (inforegulator.org.za)

This guide explains what standard contractual clauses are, when to use them in South Africa, how they relate to POPIA section 72, and why South African businesses often use contractual data-transfer clauses even though POPIA does not publish one official SCC template equivalent to the EU model. The Information Regulator’s 2025/2026 Annual Performance Plan also says it intends to issue a guidance note to help responsible parties conduct transborder commerce requiring cross-border processing of personal information. (inforegulator.org.za)

What are standard contractual clauses?

Standard contractual clauses are contract provisions used to set rules for how personal information will be handled between parties. They usually deal with:

  • what personal information is transferred
  • why it is transferred
  • what the recipient may and may not do with it
  • confidentiality obligations
  • security measures
  • onward transfers
  • breach notification
  • cooperation with data-subject rights
  • audit or compliance rights
  • return or deletion of data

In South African compliance practice, standard contractual clauses are often used in:

  • vendor contracts
  • cloud-service agreements
  • software contracts
  • outsourcing agreements
  • group-company data-sharing arrangements
  • cross-border processing agreements

Why standard contractual clauses matter in South Africa

Standard contractual clauses matter because POPIA places conditions on transfers of personal information outside South Africa. Section 72 says transfer is allowed only where one of the listed legal grounds exists, including adequate protection through foreign law, binding corporate rules, or a binding agreement, or where another section 72 ground such as consent, contractual necessity, benefit to the data subject, or likely consent applies. (inforegulator.org.za)

That means a South African organisation using overseas cloud tools, payroll systems, HR platforms, CRMs, email platforms, or support providers often needs a contractual mechanism that helps show the transfer is properly governed.

POPIA section 72 and cross-border transfers

This is the key South African rule.

POPIA section 72 allows transfer of personal information outside the Republic only if:

  • the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection and effectively upholds principles substantially similar to POPIA
  • the data subject consents to the transfer
  • the transfer is necessary for performing a contract between the data subject and the responsible party, or for pre-contract measures requested by the data subject
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party
  • the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain consent, but the data subject would likely give consent if it were practicable to ask. (inforegulator.org.za)

This is why standard contractual clauses are so useful in South Africa: they help provide the “binding agreement” element where the transfer relies on contractual safeguards.

Does South Africa have official POPIA SCCs?

At the moment, South Africa does not have one single official POPIA SCC template published by the Information Regulator in the same way the European Commission has official EU SCCs. I did not find an official Information Regulator-issued POPIA SCC template in the sources reviewed. What POPIA does provide is the legal standard in section 72 requiring adequate protection via law, binding corporate rules, or binding agreement. (inforegulator.org.za)

The Information Regulator has, however, indicated in its 2025/2026 Annual Performance Plan that it aims to issue guidance on transborder commerce involving cross-border processing of personal information. (inforegulator.org.za)

South African SCCs vs EU SCCs

This distinction matters.

The European Commission adopted its current EU standard contractual clauses on 4 June 2021 for certain controller-processor and international-transfer situations under EU data-protection law. (commission.europa.eu)

A South African organisation may sometimes use EU SCCs as part of a broader international contracting framework, especially where an EU party is involved. But EU SCCs are not automatically the same thing as POPIA compliance. For South African purposes, the key question is whether the contractual arrangement helps satisfy POPIA section 72 and the broader POPIA obligations on lawful processing, security, operator control, and accountability. (inforegulator.org.za)

Standard contractual clauses vs data processing agreement

These are related, but not always identical.

Standard contractual clauses

These are standardised privacy clauses, often focused on cross-border transfers or broader privacy safeguards.

Data processing agreement

A data processing agreement is a broader contract used where one party processes personal information on behalf of another. Under POPIA sections 20 and 21, an operator must process with the knowledge or authorisation of the responsible party, keep the information confidential, and the responsible party must ensure by written contract that the operator establishes and maintains the required security measures. (inforegulator.org.za)

In South Africa, a cross-border operator contract may therefore need both:

  • operator/DPA-style clauses under sections 20 and 21, and
  • transfer clauses that support section 72 compliance.

When to use standard contractual clauses in South Africa

A South African organisation should consider standard contractual clauses when:

  • it uses foreign cloud software
  • it stores personal information outside South Africa
  • it outsources processing to an overseas service provider
  • it shares HR, payroll, CRM, or support data with a foreign affiliate
  • it uses offshore hosting or managed services
  • it transfers customer data to a foreign platform
  • it sends data to a foreign processor or sub-processor
  • it wants stronger contractual protection around cross-border data handling

They are especially useful where the organisation wants to rely on a binding agreement as part of section 72 compliance.

When not to rely on SCC wording alone

Standard contractual clauses are useful, but they may not be enough on their own if:

  • the organisation has not identified what personal information is actually being transferred
  • the business has no clear legal basis for the transfer
  • the foreign recipient’s real practices do not match the contract wording
  • the organisation has not assessed onward transfers or sub-processors
  • the privacy notice does not disclose the transfer properly
  • the transfer actually relies on consent or contractual necessity instead of contractual safeguards
  • the organisation has not handled operator-security duties properly

In other words, South African SCC-style clauses should support real governance, not act as decorative wording.

What South African standard contractual clauses should cover

A strong South African SCC-style clause set should usually include the following.

Parties and roles

Identify:

  • the responsible party
  • the operator, if applicable
  • the foreign recipient
  • any onward recipients where relevant

Purpose of transfer

Explain why the personal information is being transferred.

Categories of data

Describe the categories of personal information involved.

Data subjects

State whose information is involved, such as:

  • customers
  • employees
  • users
  • suppliers
  • applicants
  • students

POPIA-equivalent protection commitment

State that the recipient will maintain a level of protection substantially similar to POPIA, as section 72 requires for the binding-agreement route. (inforegulator.org.za)

Confidentiality

Require confidentiality obligations for all personnel and authorised recipients.

Security safeguards

POPIA section 19 requires appropriate, reasonable technical and organisational measures, and sections 20 and 21 impose operator-security obligations. The clauses should reflect those duties. (inforegulator.org.za)

Restrictions on onward transfer

The recipient should not onward-transfer the information unless equivalent protection applies.

Data-subject rights cooperation

The recipient should help the South African responsible party respond to access, correction, deletion, or other lawful requests where relevant.

Breach notification

The clauses should require prompt notification if there are reasonable grounds to believe the personal information has been accessed or acquired by an unauthorised person, consistent with POPIA’s incident framework. (inforegulator.org.za)

Retention, return, and deletion

The contract should explain what happens to the data at the end of the relationship.

Audit, information, or assurance rights

The responsible party should have some way to verify compliance in practice.

Binding corporate rules and group transfers

POPIA section 72 also recognises binding corporate rules as one of the possible adequate-protection routes. That means multinational groups operating in South Africa may use internal group privacy rules alongside contractual controls when transferring data between entities. (inforegulator.org.za)

For groups that do not yet have formal binding corporate rules, contract-based clauses are often the more practical starting point.

Cross-border disclosures in PAIA manuals

South African PAIA manuals often include a section describing planned transborder flows of personal information. The Information Regulator’s own PAIA manual says that if cross-border transfer becomes necessary, it will ensure the recipient is subject to law, binding corporate rules, or a binding agreement providing an adequate level of protection, and older Regulator manual wording also referred to consent where appropriate. (inforegulator.org.za)

That is useful because it shows how section 72 principles are reflected in real South African governance documents.

Common mistakes

Common South African standard-contractual-clause mistakes include:

  • copying EU SCCs without adapting them to POPIA
  • ignoring section 72’s actual transfer grounds
  • not identifying whether the recipient is an operator or another responsible party
  • failing to cover onward transfers
  • using generic wording that does not describe the real transfer
  • forgetting breach-notification obligations
  • not aligning the clauses with the privacy notice and internal records
  • assuming a contract alone solves unlawful over-collection or poor security

Practical questions before using SCC-style clauses

Before using standard contractual clauses in South Africa, ask:

  • What personal information is leaving South Africa?
  • Which section 72 ground are we relying on?
  • Is the foreign recipient an operator, another responsible party, or both in different contexts?
  • Does the contract give POPIA-equivalent protection?
  • Will the recipient use sub-processors or onward recipients?
  • Do our privacy notices and records of processing reflect the transfer?
  • Are we also complying with POPIA sections 19, 20, and 21?

Example of when this guide is useful

This guide is useful for:

  • a South African company using offshore cloud software
  • a business transferring HR data to a foreign parent company
  • a SaaS company using international processors
  • an employer using overseas payroll or support tools
  • an organisation building POPIA-compliant cross-border vendor contracts

FAQ

What are standard contractual clauses in South Africa?

They are privacy and data-transfer clauses used in contracts to regulate handling of personal information, especially in cross-border or outsourced-processing situations.

Does POPIA allow cross-border data transfers?

Yes, but only in the circumstances listed in section 72, including where the recipient is subject to adequate protection through law, binding corporate rules, or a binding agreement, or where another listed ground such as consent or contractual necessity applies. (inforegulator.org.za)

Does South Africa have official POPIA SCCs?

Not in the same way the EU has official Commission SCCs. POPIA provides the section 72 standard, but I did not find an official Information Regulator-issued POPIA SCC template in the sources reviewed. The Regulator has, however, indicated work on transborder-processing guidance. (inforegulator.org.za)

Can we use EU SCCs for South African data transfers?

Sometimes they may help in international deals, especially where an EU party is involved, but they should not be assumed to equal POPIA compliance automatically. The South African question remains whether the arrangement satisfies section 72 and the rest of POPIA. (commission.europa.eu)

Are SCCs the same as a data processing agreement?

Not always. A DPA usually addresses operator-processing duties more broadly, while SCC-style clauses often focus more specifically on cross-border transfer protections. In South Africa, both may be needed together. (inforegulator.org.za)

What is the main South African legal section for overseas transfers?

POPIA section 72 is the key provision on transfers of personal information outside the Republic. (inforegulator.org.za)

Related guides

You may also want to read:

  • GDPR Data Processing Agreement
  • Data Sharing Agreement Guide
  • Records of Processing Activities Guide
  • Information Security Policy Guide
  • Privacy Policy Template
  • Data Retention Policy Guide
  • Cookie Policy Guide
  • Data Processing Consent Form Guide

A strong South African standard-contractual-clauses approach should be built around POPIA section 72, adapted to the real cross-border data flow, and combined with operator, security, and governance controls rather than copied blindly from another legal regime.