On December 19th, the Ministry of Economy issued an exempt resolution approving Standard Contractual Clauses (CCT, for its initials in Spanish) for the international transfer of personal data. This measure forms part of the implementation process of the new Personal Data Protection Law (Law No. 21,719), which will take effect on December 1st, 2026, replacing the current Law on the Protection of Private Life (Law No. 19,628).

The new Personal Data Protection Law introduces a more demanding framework for the processing of personal data, incorporating a robust sanctions regime and the creation of the Personal Data Protection Agency (APDP for its initials in Spanish) as an autonomous authority with supervisory powers. Regarding international data transfers, the new law establishes that such transfers will only be lawful where an expressly provided legal basis applies, including the implementation of appropriate contractual safeguards.

In this context, SCCs constitute one of the lawful transfer mechanisms recognized by the new regulatory framework, although not the only one. Their practical relevance lies in enabling data controllers and processors to begin adjusting their processes in advance to align with the standards introduced by the new law, while the APDP has not yet issued regulations to perform an equivalent role.

Role and range of the SCCs

The Ministry of Economy’s resolution approves, as the official model, the SCCs included in the Implementation Guide on Model Standard Contractual Clauses for the International Transfer of Personal Data, developed within the framework of the Ibero‑American Data Protection Network (RIPD, for its initials in Spanish).

These clauses are designed as standardized, generally applicable instruments aimed at facilitating regulatory compliance, reducing the costs associated with negotiating individual transfer clauses, and allowing for the early adoption of the standards imposed by Law No. 21,719.

Practical guidelines for implementing SCCs

The model considers several relevant aspects for its use in international personal data transfers, including the following:

1. Identifying the applicable model based on data flows

It must be determined whether the transfer takes place between controllers (Controller ↔ Controller) or from a controller to a processor (Controller → Processor), as the extent of obligations varies depending on the role assumed by the data recipient and the applicable contractual model.

2. Use of the model, cover page, and annexes

As a general rule, the SCCs should be used without modifying their text, except for completing the cover page and the annexes provided for in the model.

However, SCCs may be incorporated into a broader agreement and supplemented with additional clauses or safeguards, provided that such provisions do not, directly or indirectly, conflict with the SCCs or undermine the fundamental rights of data subjects.

In addition, the SCCs include annexes designed to identify the parties involved in the transfer and to describe its key elements. In particular, these documents allow for: the identification of new parties joining at a later stage (Annex A); a description of the personal data transferred and their purposes, clearly distinguishing each transfer or category of transfers (Annex B); a detailed specification of the applicable security measures (Annex C); the identification of sub‑processors, where applicable (Annex D); and the incorporation of additional legal documentation, such as privacy notices or policies (Annex E).

3. Compliance throughout the duration of the transfer

The use of SCCs entails a set of obligations and legal effects that remain in force throughout the duration of the international personal data transfer.

In particular, the model recognizes data subjects as third‑party beneficiaries of the agreement, allowing them to exercise rights of access, rectification, erasure, and objection. This requires the existence of appropriate mechanisms to respond to such requests. Likewise, SCCs impose obligations aimed at ensuring compliance with the principles and duties set out in the model, including the implementation of appropriate administrative, physical, and technical measures, as well as mechanisms to demonstrate such compliance.

During the term of the transfer, the model also regulates the management of security incidents, establishing notification and cooperation obligations that vary depending on the contractual relationship between the parties. Additionally, it sets out specific conditions for onward transfers of personal data, which are permitted only in limited circumstances, such as the adoption of equivalent safeguards, the existence of an adequacy decision, the application of a statutory exception provided by law, or the data subject’s express and informed consent for a specific case.

4. Closing the data lifecycle

Upon completion of the services, the model also governs how personal data should be handled after processing ends. In particular, it requires the data importer to return or securely destroy the transferred personal data and to evidence that such action has been carried out. Where a legal obligation in the destination country prevents the return or deletion of the data, processing must be strictly limited to what is required under that legal obligation, while consistently maintaining the safeguards  set out in the SCCs.

Final considerations

In this context, understanding the range and operation of SCCs is particularly relevant for anticipating compliance with the new personal data protection regime and for evaluating at an early stage, how international data transfers should be structured in accordance with the standards that will be imposed by Law No. 21,719.

For questions or further information, please contact our corporate legal team.