Standard Contractual Clauses (SCCs): Complete GDPR Guide to International Data Transfers (2026)
November 13, 2025
Updated: February 22, 2026
26 min read
Data Privacy
Standard Contractual Clauses (SCCs) are pre-approved legal clauses adopted by the European Commission that organisations must incorporate into contracts when transferring personal data from the EU/EEA to countries without an adequacy decision, serving as the most widely used GDPR mechanism for lawful international data transfers.
Every time your European customer data flows to a US SaaS provider, a customer support centre in India, or a cloud server in Singapore, you're making an international data transfer under the GDPR. And every international transfer to a country without an EU adequacy decision requires a legal mechanism to protect the data — the most widely used of which is Standard Contractual Clauses (SCCs).
Since the Court of Justice's Schrems II decision in July 2020 invalidated the EU-US Privacy Shield and imposed strict conditions on SCCs, international data transfers have become one of the most complex areas of GDPR compliance. The European Commission adopted new SCCs in June 2021, which are now the only valid version. The EU-US Data Privacy Framework (DPF) provides a new adequacy mechanism for transfers to certified US organisations — but it doesn't replace the need for SCCs in many scenarios.
This guide provides a complete, practical explanation of Standard Contractual Clauses — which modules to use, how to conduct a Transfer Impact Assessment, when the EU-US DPF applies, and how to implement SCCs properly.
Quick Reference
Details
What are SCCs?
Pre-approved contractual clauses adopted by the European Commission for international data transfers under GDPR
Legal basis
GDPR Article 46(2)(c) — transfers subject to appropriate safeguards
Current version
Commission Implementing Decision (EU) 2021/914 (adopted 4 June 2021)
Required for every transfer using SCCs — assesses third-country legal framework
EU-US Data Privacy Framework
Adequacy decision for transfers to DPF-certified US organisations (since 10 July 2023)
Supplementary measures
Additional technical, organisational, or contractual measures if third-country law undermines SCC protections
Share article
Need help with compliance?
Contact us for a free consultation
Penalty for non-compliant transfers
Up to EUR 20 million or 4% of global annual turnover
Key Takeaways
Standard Contractual Clauses are pre-approved contract terms adopted by the European Commission that provide legal safeguards for international data transfers
The 2021 SCCs are the only valid version — any transfers still relying on the old 2010 SCCs are non-compliant
SCCs use a modular system with four modules matching different transfer relationships (C2C, C2P, P2P, P2C)
SCCs alone may not be sufficient — Schrems II requires a Transfer Impact Assessment (TIA) to evaluate whether the destination country's legal framework undermines the protections
If the TIA reveals risks, you must implement supplementary measures (encryption, pseudonymisation, contractual safeguards) or suspend the transfer
The EU-US Data Privacy Framework provides an adequacy decision for transfers to DPF-certified US companies — but you should verify the recipient's DPF certification and assess whether it covers your data types
SCCs can be embedded in broader commercial contracts — they don't need to be a standalone document
Regular reviews are essential — changes in third-country law or the recipient's circumstances can invalidate your TIA
Standard Contractual Clauses (SCCs) are pre-approved contractual terms adopted by the European Commission under GDPR Article 46(2)(c). When you transfer personal data from the EU/EEA to a country that doesn't have an adequacy decision (i.e., the European Commission has not determined that the country provides an adequate level of data protection), SCCs provide the legally required safeguards.
SCCs create binding obligations between the data exporter (the party sending data out of the EU) and the data importer (the party receiving data outside the EU). The clauses impose GDPR-equivalent protections on the data importer, including:
Processing data only for specified purposes
Implementing appropriate technical and organisational security measures
Complying with data subject rights requests
Notifying the exporter of government access requests
Submitting to EU supervisory authority jurisdiction
Allowing the exporter to audit the importer's compliance
When Do You Need SCCs?
Decision Tree
Is the data transfer to a country within the EU/EEA?
├── Yes → No transfer mechanism needed
└── No → Does the destination country have an EU adequacy decision?
├── Yes → Transfer permitted under adequacy decision
│ (but verify scope — some adequacy decisions are limited)
└── No → You need a transfer mechanism:
├── SCCs (most common)
├── Binding Corporate Rules (BCRs) — for intra-group transfers
├── Approved code of conduct or certification
└── Derogations (Art. 49) — narrow circumstances only
Countries with EU Adequacy Decisions (as of 2026)
Country/Territory
Scope
Andorra, Argentina, Canada (PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay
Full adequacy
United States
EU-US Data Privacy Framework — only for DPF-certified organisations
All other countries require a transfer mechanism — most commonly SCCs.
The Four SCC Modules Explained
The 2021 SCCs use a modular approach. You select the module that matches your transfer relationship:
Module
Transfer Relationship
When to Use
Module 1
Controller → Controller (C2C)
EU controller transfers data to a non-EU controller
Module 2
Controller → Processor (C2P)
EU controller transfers data to a non-EU processor
Module 3
Processor → Processor (P2P)
EU processor transfers data to a non-EU sub-processor (on behalf of an EU controller)
Module 4
Processor → Controller (P2C)
Non-EU processor transfers data back to a non-EU controller (rare scenario)
Module 1: Controller to Controller
Scenario: Your EU organisation shares customer data with a non-EU business partner for their own purposes (joint marketing, partnerships, M&A due diligence).
Key features:
Both parties are independent controllers with their own purposes
Data importer must comply with GDPR-equivalent requirements
Data subjects have direct enforcement rights against the importer
Module 2: Controller to Processor
Scenario: Your EU organisation uses a US SaaS platform (CRM, cloud hosting, analytics, email marketing) that processes data on your behalf.
Key features:
Most common module — covers virtually all SaaS/cloud vendor relationships
Also serves as the Article 28 data processing agreement (DPA)
Includes sub-processor management provisions
Data importer processes data only on the exporter's instructions
Module 3: Processor to Sub-Processor
Scenario: Your EU-based processor (e.g., managed service provider) engages a non-EU sub-processor.
Key features:
Used in processor chains — the original controller must have authorised the transfer
The EU processor (data exporter) remains accountable
Ensures protections flow down through the processing chain
Module 4: Processor to Controller
Scenario: A non-EU entity processes data in the EU (as a processor) and transfers it back to a non-EU controller. This is relatively rare but applies in some outsourcing arrangements.
How to Choose the Right Module
Your Role
Your Vendor/Partner's Role
Their Location
Module
EU controller
Non-EU controller
Outside EU, no adequacy decision
Module 1
EU controller
Non-EU processor
Outside EU, no adequacy decision
Module 2
EU processor
Non-EU sub-processor
Outside EU, no adequacy decision
Module 3
EU processor
Non-EU controller
Outside EU, no adequacy decision
Module 4
Multi-Module Scenarios
Some vendor relationships involve multiple modules. For example, a US SaaS vendor might:
Process data on your behalf (Module 2 — C2P)
Use the data for their own analytics or product improvement (Module 1 — C2C)
In such cases, you may need to execute both modules within the same SCC agreement.
Transfer Impact Assessment (TIA)
The Schrems II judgment established that SCCs alone are not sufficient. Before transferring data using SCCs, you must assess whether the legal framework of the destination country allows the data importer to comply with the SCCs.
TIA Steps
Step
Activity
Output
1
Document the transfer
What data, to whom, where, for what purpose, which SCC module
2
Identify relevant third-country law
Government surveillance laws, data access powers, privacy protections
3
Assess whether the law undermines SCCs
Does it allow disproportionate government access? Are there independent oversight and remedies?
4
Assess practical application
Is the law actually applied to your type of data? Has the importer received government requests?
5
Determine if supplementary measures are needed
If third-country law undermines protections, identify and implement additional measures
6
Document the assessment
Written TIA with reasoning and conclusions
7
Review periodically
Update when third-country law changes or at least annually
Key Factors in TIA Assessment
Factor
What to Consider
Surveillance law
Does the country have broad government surveillance powers? (e.g., US FISA Section 702, UK IPA)
Scope of access
Can government agencies access the specific type of data you're transferring?
Safeguards
Are there independent oversight bodies, judicial authorisation requirements, proportionality tests?
Remedies
Can data subjects challenge government access (even if they don't know about it)?
Practical experience
Has the data importer received government access requests? How frequently?
Data type and sensitivity
Is the data of interest to government agencies? (Personal data of EU residents vs. aggregated statistics)
Technical measures
Does encryption or pseudonymisation prevent the importer (and government) from accessing data in clear text?
US-Specific TIA Considerations
The US remains the most common TIA scenario. Key considerations:
Factor
Assessment
FISA Section 702
Allows intelligence collection from non-US persons; applies to US-based electronic communications service providers
Executive Order 12333
Allows intelligence collection in transit; mitigated by end-to-end encryption
EU-US DPF
Provides additional safeguards (including a Data Protection Review Court) for transfers to DPF-certified organisations
CLOUD Act
Allows US government to compel US companies to produce data regardless of storage location
Practical risk
Assess whether your specific data is likely to be targeted (bulk collection vs. targeted surveillance)
Supplementary Measures
If your TIA identifies risks, you must implement supplementary measures. The EDPB Recommendations 01/2020 provide guidance:
Technical Measures
Measure
When Effective
End-to-end encryption
Effective if the data importer does not have the decryption keys (e.g., data encrypted before transfer; importer stores encrypted data)
Pseudonymisation
Effective if the importer cannot re-identify the data subjects without additional information held separately in the EU
Split or multi-party processing
Effective if no single entity outside the EU has access to the complete data set
Transport encryption (TLS)
Protects data in transit but not at rest; insufficient alone if importer can access data in clear text
Organisational Measures
Measure
Description
Transparency reports
Importer publishes reports on government access requests
Internal policies
Importer has policies to challenge government requests and notify the exporter
Staff training
Importer staff trained on obligations under SCCs
Minimisation
Limit the data transferred to what's strictly necessary
Contractual Measures
Measure
Description
Government access notification
Importer commits to notifying exporter of government access requests (unless legally prohibited)
Challenge commitment
Importer commits to challenging overbroad government requests
Audit enhancement
Enhanced audit rights beyond standard SCC provisions
Data localisation
Importer commits to processing and storing data only in specific locations — for a broader analysis of when localisation is advisable, see our Data Sovereignty in the EU guide
Important: If no supplementary measures can effectively address the identified risks, you must suspend the transfer. This is the hard reality of Schrems II.
The EU-US Data Privacy Framework
The EU-US Data Privacy Framework (DPF), adopted on 10 July 2023, provides an adequacy decision for transfers to US organisations that are certified under the DPF.
How It Works
Aspect
Details
Self-certification
US organisations voluntarily certify with the US Department of Commerce
Commitments
Certified organisations commit to DPF principles (purpose limitation, data minimisation, security, etc.)
Redress mechanism
EU individuals can file complaints through a new Data Protection Review Court (DPRC)
Scope
Only covers transfers to DPF-certified organisations — not all US companies
Verification
Check the DPF List at dataprivacyframework.gov to verify certification
DPF vs. SCCs
Factor
EU-US DPF
SCCs
Legal basis
Adequacy decision (Art. 45)
Appropriate safeguards (Art. 46)
Scope
US DPF-certified organisations only
Any country, any organisation
TIA required?
No (adequacy decision covers it)
Yes — always
Supplementary measures?
No (unless DPF is later invalidated)
If TIA identifies risks
Contractual requirement
No additional contract needed for transfer aspect
SCCs must be executed
Durability risk
Could be challenged (like Safe Harbor and Privacy Shield before it)
More durable — contractual mechanism
Practical Recommendation
For transfers to US organisations that are DPF-certified:
Rely on the DPF adequacy decision as the primary mechanism
Keep SCCs in place as a backup in case the DPF is later invalidated (as happened with Safe Harbor and Privacy Shield)
This dual approach provides continuity if the DPF faces legal challenge
SCCs vs. Other Transfer Mechanisms
Mechanism
Legal Basis
Best For
Limitations
Adequacy decisions
Art. 45
Transfers to countries with adequacy
Limited number of countries; can be challenged
Standard Contractual Clauses
Art. 46(2)(c)
Most international transfers
Requires TIA; potentially supplementary measures
Binding Corporate Rules (BCRs)
Art. 47
Intra-group transfers within multinational corporations
Complex approval process (12–18 months); significant cost; only for intra-group
Codes of conduct / Certification
Art. 46(2)(e)/(f)
Industry-specific transfers
Very few approved; limited practical applicability
Derogations (Art. 49)
Art. 49
Occasional, non-repetitive transfers
Narrow conditions; not for systematic transfers
Step-by-Step SCC Implementation
Step
Activity
Who
1
Identify all international transfers through data mapping
DPO / Privacy team
2
Determine the transfer mechanism for each transfer (adequacy, SCCs, BCRs)
DPO / Legal
3
Select the appropriate SCC module based on the parties' roles
Legal
4
Complete the Annexes (description of transfer, technical measures, competent authority)
Privacy team + vendor
5
Conduct a Transfer Impact Assessment for each transfer
DPO / Legal
6
Identify and implement supplementary measures if TIA identifies risks
Privacy team + IT
7
Execute the SCCs — signed by both parties
Legal / Procurement
8
Document the TIA, supplementary measures, and SCC execution
DPO
9
Monitor for changes in third-country law or recipient circumstances
DPO (ongoing)
10
Review TIAs and SCCs periodically (at least annually)
DPO / Legal
SCC Annexes: What to Include
The 2021 SCCs require three annexes:
Annex I: List of Parties and Description of Transfer
Section
Content
I.A: List of parties
Data exporter (name, address, contact, role); Data importer (same)
I.B: Description of transfer
Categories of data subjects, categories of personal data, sensitive data (if any), frequency of transfer, nature of processing, purpose, retention period
Your processor's sub-processor may transfer data to additional countries
Require sub-processor lists; assess and execute SCCs for sub-processor transfers
Frequently Asked Questions
Do I need SCCs for transfers to the UK after Brexit?
No — the European Commission adopted an adequacy decision for the UK on 28 June 2021, valid for four years (extended/renewed subsequently). However, the UK has its own international transfer mechanism (UK International Data Transfer Agreement and UK addendum to EU SCCs). If you transfer data from the EU to the UK, the adequacy decision covers it. If you transfer from the UK to third countries, you need the UK's transfer mechanisms. For a detailed comparison of the two regimes, see our GDPR vs UK GDPR guide.
Can I use one SCC for multiple transfers to the same vendor?
Yes — you can execute a single SCC agreement covering multiple transfer activities to the same data importer, as long as you list all transfers in Annex I.B. Many organisations execute SCCs as part of a broader DPA that covers all processing activities with a vendor.
How often should I review my TIAs?
At minimum, annually. Additionally, review when: the destination country changes its surveillance or data protection laws, the data importer's circumstances change (e.g., they receive a government access request), your supervisory authority issues new guidance, or the type of data you transfer changes.
Are SCCs required for data stored in an EU data centre by a US company?
This is a nuanced area. If the US company can technically access the data (e.g., for support purposes), it's likely a transfer requiring SCCs. If the data is truly isolated and the US entity cannot access it, SCCs may not be needed — but this must be carefully assessed. The CLOUD Act allows US authorities to compel US companies to produce data regardless of storage location, which complicates the analysis.
What happens if the EU-US DPF is invalidated?
If the DPF is invalidated (as happened with Safe Harbor and Privacy Shield), transfers relying solely on the DPF would lose their legal basis. This is why maintaining SCCs alongside the DPF is recommended — you have a fallback mechanism. You would then need to update your TIA for US transfers and implement supplementary measures appropriate to the post-DPF landscape.
Can I use SCCs for transfers to a country with an adequacy decision?
You can, but it's unnecessary. If a country has an adequacy decision, transfers to that country are permitted without additional mechanisms. However, some organisations use SCCs as an extra layer of contractual protection, particularly if there's concern about the adequacy decision being challenged.
Do SCCs apply to employee data?
Yes — if you transfer employee personal data outside the EU (e.g., to a US parent company's HR system or a non-EU payroll processor), you need a transfer mechanism. For intra-group transfers, BCRs may be more appropriate, but SCCs work as well. Remember that employee consent is generally not a valid legal basis for employment-related data transfers due to the power imbalance.
What is the penalty for non-compliant international transfers?
Under GDPR Article 83(5), infringements of the international transfer provisions (Articles 44–49) are subject to the maximum penalty: up to EUR 20 million or 4% of global annual turnover, whichever is higher. Several supervisory authorities have issued significant fines for international transfer violations — most notably the Irish DPC's EUR 1.2 billion fine against Meta in 2023.
Standard Contractual Clauses remain the workhorse mechanism for international data transfers under the GDPR. They're flexible, widely accepted, and applicable to virtually any transfer scenario. But since Schrems II, signing SCCs is only the beginning — you must conduct Transfer Impact Assessments, implement supplementary measures where needed, and monitor the legal landscape for changes.
The practical approach: map all your international transfers, execute 2021 SCCs with complete annexes, conduct thorough TIAs, leverage the EU-US DPF where applicable (with SCCs as backup), and review annually.
Need help with international data transfers? Vision Compliance guides organisations through SCC implementation, Transfer Impact Assessments, and supplementary measures — ensuring your international data flows are GDPR-compliant and defensible. Schedule a free consultation →
Sources: GDPR (Regulation 2016/679) Articles 44–49, Commission Implementing Decision (EU) 2021/914, EDPB Recommendations 01/2020 on Supplementary Measures, Schrems II Judgment (C-311/18), EU-US Data Privacy Framework Adequacy Decision (2023)
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.
