Standard Contractual Clauses (SCCs): Complete Guide to International Data Transfers
A detailed guide to using Standard Contractual Clauses for GDPR-compliant international data transfers. Learn about the 2021 SCCs, when they are required, how to implement them, and what supplementary measures and Transfer Impact Assessments are necessary.
What Are Standard Contractual Clauses?
Standard Contractual Clauses (SCCs) are pre-approved contractual terms adopted by the European Commission that provide a legal mechanism for transferring personal data from the European Economic Area (EEA) to countries that do not have an adequacy decision from the EU. When organizations transfer personal data outside the EEA, they must ensure that the data continues to receive protection equivalent to that provided under GDPR. SCCs are one of the key tools for achieving this protection.
Under GDPR Article 46, organizations may transfer personal data to third countries subject to appropriate safeguards. SCCs represent standardized contractual protections that the European Commission has determined provide adequate safeguards for such transfers. By incorporating these clauses into agreements between data exporters (typically EU-based organizations) and data importers (organizations in third countries), both parties commit to handling personal data according to GDPR standards regardless of the local laws in the destination country.
The use of SCCs has become increasingly important following the Court of Justice of the European Union's Schrems II decision in July 2020, which invalidated the EU-US Privacy Shield framework and imposed additional requirements on organizations relying on SCCs. The ruling emphasized that SCCs alone may not be sufficient and that organizations must assess whether the legal framework in the destination country allows the data importer to actually comply with the SCC obligations.
When SCCs Are Required
SCCs are required when transferring personal data from the EEA to a country without an EU adequacy decision, and when no other valid transfer mechanism (such as Binding Corporate Rules or explicit consent) applies. This includes transfers to major markets like the United States (for non-DPF certified entities), China, India, and many other countries where EU data protection is not recognized as equivalent.
The New 2021 SCCs Explained
In June 2021, the European Commission adopted new Standard Contractual Clauses that replaced the previous versions dating from 2001 and 2010. The new SCCs represent a significant modernization, addressing gaps in the previous clauses and incorporating requirements arising from the Schrems II judgment. Organizations were required to transition to the new SCCs by February 2, 2026, and all transfers must now use the 2021 version.
The most significant change in the 2021 SCCs is the modular approach. Rather than having separate sets of clauses for different transfer scenarios, the new SCCs consist of general clauses that apply to all transfers plus four modules that parties select based on their specific roles and the nature of the transfer. This flexibility allows the same framework to cover controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers.
The Four SCC Modules
Understanding which module applies to your data transfers is essential for proper SCC implementation. Each module contains specific obligations tailored to the roles of the parties involved.
Controller to Controller
For transfers where both the data exporter and importer are data controllers
Use case: Sharing customer data with a business partner who independently determines purposes
Controller to Processor
For transfers from an EU controller to a non-EU processor
Use case: Using a cloud service provider or SaaS platform outside the EEA
Processor to Processor
For transfers from an EU processor to a non-EU sub-processor
Use case: When your EU-based processor engages a sub-processor in a third country
Processor to Controller
For transfers from a non-EU processor back to an EU controller
Use case: When processed data flows back from a third-country processor to the EU controller
Key Changes from Previous SCCs
The 2021 SCCs introduced several important changes that organizations must understand when implementing or updating their international transfer mechanisms.
| Aspect | Old SCCs | New 2021 SCCs |
|---|---|---|
| Modular Approach | Separate sets for controller-processor and controller-controller | Four modules covering all transfer scenarios in one document |
| Processor Chains | Limited provisions for sub-processing | Explicit module for processor-to-processor transfers |
| Multi-party Execution | Limited to two-party agreements | Docking clause allows additional parties to join existing SCCs |
| Schrems II Compliance | Pre-dated Schrems II ruling | Includes provisions addressing Schrems II requirements |
| Transfer Impact Assessment | Not explicitly required | Mandatory assessment of destination country laws |
| Government Access | General confidentiality obligations only | Specific obligations regarding government access requests |
Docking Clause
One innovative feature of the 2021 SCCs is the docking clause, which allows additional parties to accede to existing SCCs without requiring a new agreement. This is particularly useful in complex data processing chains where new sub-processors may be added over time. When a new party joins, they become bound by the existing SCC obligations from the date of accession, and all parties must update the relevant annexes to reflect the new arrangement.
When Are SCCs Required?
SCCs are one of several legal mechanisms available for international data transfers under GDPR. Understanding when SCCs are required versus when alternative mechanisms apply is essential for compliance planning.
Adequacy Decisions
The European Commission may determine that a third country, territory, or international organization provides an adequate level of data protection. When an adequacy decision is in place, data may flow freely to that destination without additional safeguards like SCCs. Currently, adequacy decisions cover the following jurisdictions:
| Country/Territory | Status | Notes |
|---|---|---|
| Andorra | Full adequacy | Adequacy decision in effect |
| Argentina | Full adequacy | Adequacy decision in effect |
| Canada | Partial adequacy | Commercial organizations under PIPEDA only |
| Faroe Islands | Full adequacy | Adequacy decision in effect |
| Guernsey | Full adequacy | Adequacy decision in effect |
| Israel | Full adequacy | Adequacy decision in effect |
| Isle of Man | Full adequacy | Adequacy decision in effect |
| Japan | Full adequacy | Mutual adequacy with EU |
| Jersey | Full adequacy | Adequacy decision in effect |
| New Zealand | Full adequacy | Adequacy decision in effect |
| Republic of Korea | Full adequacy | Adequacy decision since 2022 |
| Switzerland | Full adequacy | Adequacy decision in effect |
| United Kingdom | Full adequacy | Post-Brexit adequacy through 2025 |
| United States | EU-US Data Privacy Framework | For certified organizations only |
| Uruguay | Full adequacy | Adequacy decision in effect |
US Transfers: Data Privacy Framework
For transfers to the United States, the EU-US Data Privacy Framework provides adequacy for organizations that self-certify under the framework. However, transfers to US organizations not certified under the DPF still require SCCs or another valid transfer mechanism. Always verify certification status before relying on the DPF for US transfers.
Alternative Transfer Mechanisms
Besides SCCs and adequacy decisions, GDPR provides other mechanisms for international transfers. Binding Corporate Rules (BCRs) are internal rules adopted by multinational corporate groups for intra-group transfers. BCRs require approval from supervisory authorities and are typically used by large organizations with significant data flows between group entities. Codes of conduct and certification mechanisms approved under GDPR can also serve as transfer mechanisms when combined with binding commitments from the data importer.
In limited circumstances, GDPR Article 49 derogations permit transfers without additional safeguards. These include explicit consent from the data subject, transfers necessary for contract performance, important public interest, legal claims, vital interests, and transfers from public registers. However, these derogations are interpreted narrowly and cannot serve as the basis for systematic or large-scale transfers.
Transfer Impact Assessments
Following the Schrems II judgment, organizations relying on SCCs must conduct a Transfer Impact Assessment (TIA) before transferring data. The TIA evaluates whether the legal framework in the destination country allows the data importer to actually fulfill the obligations set out in the SCCs. If the assessment reveals that SCCs alone cannot ensure adequate protection, the organization must implement supplementary measures or suspend the transfer.
TIA Assessment Factors
The European Data Protection Board (EDPB) has provided guidance on conducting Transfer Impact Assessments. The assessment should consider multiple factors relating to the destination country's legal framework and the specific circumstances of the transfer.
Legal Framework Assessment
- •Laws and practices in the destination country regarding government access
- •Independence of supervisory authorities in the destination country
- •Available legal remedies for data subjects
- •Existence of international agreements on data protection
Transfer Circumstances
- •Categories of personal data being transferred
- •Sensitivity of the data (special categories, criminal data)
- •Format of data (plain text vs encrypted)
- •Length of processing chain and number of parties involved
Technical Measures
- •Encryption methods and key management practices
- •Pseudonymization or anonymization techniques
- •Access controls and authentication mechanisms
- •Security certifications of the data importer
Contractual Protections
- •Transparency commitments about government access requests
- •Obligations to challenge unlawful access requests
- •Notification obligations when access requests are received
- •Audit rights and compliance verification mechanisms
Documenting Your TIA
Organizations must document their Transfer Impact Assessment process and conclusions. This documentation serves as evidence of compliance and may be requested by supervisory authorities. A thorough TIA document should include identification of the specific transfer being assessed, description of the data categories and processing activities, analysis of the destination country's legal framework, evaluation of supplementary measures if implemented, and the conclusion reached regarding the adequacy of protections.
The assessment should be updated whenever there are significant changes to the destination country's legal framework, the nature of the transfer, or the supplementary measures in place. Organizations should establish a regular review schedule, typically annually, to ensure their assessments remain current.
Supplementary Measures
When a Transfer Impact Assessment reveals that SCCs alone may not provide adequate protection, organizations must implement supplementary measures to bridge the protection gap. The EDPB has categorized these measures as technical, organizational, and contractual, with technical measures generally being the most effective.
Technical Measures
High Effectiveness- End-to-end encryption with EU-based key management
- Pseudonymization where the pseudonymization key remains in the EU
- Split processing so data importer cannot access complete dataset
- Multi-party computation techniques
- Secure enclaves for processing sensitive data
Organizational Measures
Medium Effectiveness- Strict internal policies limiting data access
- Data minimization and storage limitation practices
- Regular security audits and assessments
- Staff training on data protection obligations
- Incident response procedures specific to government access
Contractual Measures
Medium Effectiveness- Enhanced transparency obligations beyond SCC requirements
- Specific commitments to resist unlawful access requests
- Expanded audit rights for data exporters
- Agreed procedures for notifying data exporters of access requests
- Indemnification for damages caused by non-compliance
Technical Measures in Practice
Technical measures are generally the most effective supplementary measures because they can prevent access to personal data regardless of the legal framework in the destination country. The key principle is that even if government authorities in the destination country compel the data importer to provide access, technical measures should ensure that the data remains protected.
For example, strong encryption with EU-controlled key management means that even if a US company is compelled to provide data under FISA Section 702, they can only provide encrypted data that they cannot decrypt. Similarly, pseudonymization where the mapping table remains in the EU means the data importer only has access to pseudonymous data that cannot be linked to individuals without the EU-held key.
When Supplementary Measures Are Insufficient
In some cases, no supplementary measures may be sufficient to ensure adequate protection. If the data importer requires access to data in clear text to perform the processing, and the destination country's laws permit government access in ways that undermine GDPR protections, the transfer may need to be suspended. This is particularly relevant for certain processing activities that inherently require clear-text access.
Implementation Steps
Implementing SCCs requires careful planning and execution. Organizations should follow a systematic approach to ensure all transfers are properly covered and documented.
SCC Implementation Checklist
- Identify all international data transfers in your organization
- Map data flows to determine which SCC module applies to each transfer
- Conduct Transfer Impact Assessment for each destination country
- Evaluate whether supplementary measures are needed
- Implement necessary technical and organizational measures
- Prepare the appropriate SCC modules with all required annexes
- Execute SCCs with data importers (signatures required)
- Complete Annex I (parties, transfers, competent supervisory authority)
- Complete Annex II (technical and organizational security measures)
- Complete Annex III (list of sub-processors if applicable)
- Document your TIA process and conclusions
- Establish monitoring procedures for ongoing compliance
- Set review schedules for periodic reassessment
- Update privacy policy to reference international transfer mechanisms
Completing the SCC Annexes
The 2021 SCCs require completion of detailed annexes that specify the particulars of the data transfer. Annex I identifies the parties to the agreement, describes the transfers covered, specifies the competent supervisory authority, and includes any optional clauses the parties have elected to include. This annex must be completed for every SCC agreement.
Annex II describes the technical and organizational security measures implemented by the data importer. This annex should be detailed and specific, covering areas such as encryption, access controls, personnel security, and incident response. For Module 2 (controller-to-processor) transfers, these measures should align with the security requirements in your Data Processing Agreement.
Annex III applies only when sub-processing is authorized and lists the sub-processors engaged by the data importer. This annex should specify each sub-processor's name, location, and the processing activities they perform. It should be updated whenever sub-processors are added or removed.
Execution Requirements
SCCs must be executed by authorized representatives of both parties. Unlike some contracts that can be incorporated by reference, SCCs typically require actual signatures. Electronic signatures are generally acceptable where valid under applicable law. The executed SCCs should be retained as evidence of compliance and made available to supervisory authorities upon request.
For existing relationships, organizations should execute new SCCs rather than attempting to amend old SCCs to the new format. The 2021 SCCs represent a new legal instrument, and the transition should be treated as entering into new contractual arrangements.
Ongoing Compliance Requirements
Implementing SCCs is not a one-time exercise. Organizations must maintain ongoing compliance through regular monitoring, assessment updates, and adaptation to changing circumstances.
Monitoring Obligations
Under the 2021 SCCs, data exporters have ongoing obligations to monitor the legal framework in destination countries and the data importer's compliance with SCC obligations. This includes staying informed about legal developments that might affect the adequacy of protections and responding appropriately when concerns arise.
Data importers have specific obligations under the SCCs regarding government access requests. They must notify the data exporter promptly if they receive legally binding requests for disclosure of personal data, unless prohibited by law. They must also challenge requests they believe to be unlawful and document their assessment of lawfulness.
Review and Update Schedule
Organizations should establish regular review schedules for their international transfer arrangements. This typically includes annual review of Transfer Impact Assessments, quarterly monitoring of legal developments in key destination countries, immediate review when significant legal changes occur, and periodic audit of data importer compliance with SCC obligations.
Documentation Best Practice
Maintain a centralized register of all international transfers, including the legal basis for each transfer, SCC module used, TIA documentation, supplementary measures implemented, and last review date. This register facilitates compliance monitoring and demonstrates accountability to supervisory authorities.
Common Implementation Challenges
Organizations frequently encounter challenges when implementing SCCs. Understanding these challenges helps in planning and executing a successful implementation.
Vendor Cooperation
Executing SCCs requires cooperation from data importers, who may be resistant to signing contracts with extensive obligations. Large technology vendors often have their own SCC templates that they prefer to use. When negotiating with such vendors, focus on ensuring the substantive protections are adequate rather than insisting on your own form. The key obligation clauses in the European Commission's SCCs cannot be modified, though the annexes provide flexibility.
Complex Processing Chains
Modern data processing often involves multiple parties and cross-border flows. Mapping these flows and ensuring appropriate SCCs cover each transfer requires careful analysis. The docking clause in the 2021 SCCs helps manage ongoing additions to processing chains, but initial mapping remains essential.
TIA Resource Requirements
Conducting thorough Transfer Impact Assessments requires legal expertise regarding destination country laws and technical expertise regarding security measures. Many organizations lack internal resources for this analysis and must engage external counsel or consultants. Prioritizing assessments based on data sensitivity and transfer volume helps manage resource constraints.
Frequently Asked Questions
Can I use the old SCCs?
No. The transition period for the 2021 SCCs ended on February 2, 2026. All international transfers relying on SCCs must now use the new 2021 version. Transfers still operating under old SCCs are non-compliant and should be updated immediately.
Do I need SCCs for transfers to the UK post-Brexit?
Currently, no. The European Commission issued an adequacy decision for the UK that remains in effect. However, this adequacy decision is subject to review and could be revoked. Organizations should monitor developments and have contingency plans for implementing SCCs if UK adequacy is withdrawn.
Which module do I use for SaaS providers?
Typically Module 2 (controller to processor), as most SaaS customers are controllers transferring data to processors. However, if the SaaS provider independently determines purposes for some processing (such as product improvement or fraud detection), a combination of Module 1 and Module 2 may be appropriate.
Can I modify the SCC clauses?
The core clauses of the SCCs cannot be modified, as they have been approved by the European Commission in their specific form. However, parties may add additional clauses that do not contradict the SCCs or diminish data subject rights. The annexes must be completed with specifics of the transfer.
How often should I update my TIA?
TIAs should be reviewed at least annually and updated whenever there are significant changes to the destination country's legal framework, the nature of the data transferred, or the supplementary measures in place. Material changes require immediate reassessment.
What happens if my TIA shows SCCs are insufficient?
If your TIA concludes that SCCs alone cannot ensure adequate protection, you must implement supplementary measures sufficient to bridge the gap. If no supplementary measures can provide adequate protection, the transfer must be suspended or not commenced.
Document Your International Data Transfers
Your privacy policy should disclose international data transfers and the safeguards in place. Use our free generator to create a complete privacy policy that addresses your data transfer practices.
Generate Privacy PolicyRelated Articles
GDPR Compliance Checklist 2026
A full checklist to ensure your website meets all EU GDPR requirements.
UK GDPR Post-Brexit Compliance Guide
Understand UK GDPR requirements and how they differ from EU GDPR after Brexit.
SaaS Privacy Policy Requirements
Essential privacy policy requirements for SaaS and cloud software companies.