Standard Contractual Clauses (SCCs) are pre-approved legal clauses adopted by the European Commission that organisations must incorporate into contracts when transferring personal data from the EU/EEA to countries without an adequacy decision, serving as the most widely used GDPR mechanism for lawful international data transfers.
Every time your European customer data flows to a US SaaS provider, a customer support centre in India, or a cloud server in Singapore, you're making an international data transfer under the GDPR. And every international transfer to a country without an EU adequacy decision requires a legal mechanism to protect the data — the most widely used of which is Standard Contractual Clauses (SCCs).
Since the Court of Justice's Schrems II decision in July 2020 invalidated the EU-US Privacy Shield and imposed strict conditions on SCCs, international data transfers have become one of the most complex areas of GDPR compliance. The European Commission adopted new SCCs in June 2021, which are now the only valid version. The EU-US Data Privacy Framework (DPF) provides a new adequacy mechanism for transfers to certified US organisations — but it doesn't replace the need for SCCs in many scenarios.
This guide provides a complete, practical explanation of Standard Contractual Clauses — which modules to use, how to conduct a Transfer Impact Assessment, when the EU-US DPF applies, and how to implement SCCs properly.
| Quick Reference | Details |
|---|---|
| What are SCCs? | Pre-approved contractual clauses adopted by the European Commission for international data transfers under GDPR |
| Legal basis | GDPR Article 46(2)(c) — transfers subject to appropriate safeguards |
| Current version | Commission Implementing Decision (EU) 2021/914 (adopted 4 June 2021) |
| Old SCCs | Repealed — only the 2021 version is valid |
| Four modules | Controller→Controller, Controller→Processor, Processor→Processor, Processor→Controller |
| Transfer Impact Assessment (TIA) | Required for every transfer using SCCs — assesses third-country legal framework |
| EU-US Data Privacy Framework | Adequacy decision for transfers to DPF-certified US organisations (since 10 July 2023) |
| Supplementary measures | Additional technical, organisational, or contractual measures if third-country law undermines SCC protections |
| Penalty for non-compliant transfers | Up to EUR 20 million or 4% of global annual turnover |
Key Takeaways
- Standard Contractual Clauses are pre-approved contract terms adopted by the European Commission that provide legal safeguards for international data transfers
- The 2021 SCCs are the only valid version — any transfers still relying on the old 2010 SCCs are non-compliant
- SCCs use a modular system with four modules matching different transfer relationships (C2C, C2P, P2P, P2C)
- SCCs alone may not be sufficient — Schrems II requires a Transfer Impact Assessment (TIA) to evaluate whether the destination country's legal framework undermines the protections
- If the TIA reveals risks, you must implement supplementary measures (encryption, pseudonymisation, contractual safeguards) or suspend the transfer
- The EU-US Data Privacy Framework provides an adequacy decision for transfers to DPF-certified US companies — but you should verify the recipient's DPF certification and assess whether it covers your data types
- SCCs can be embedded in broader commercial contracts — they don't need to be a standalone document
- Regular reviews are essential — changes in third-country law or the recipient's circumstances can invalidate your TIA
Table of Contents
- What Are Standard Contractual Clauses?
- When Do You Need SCCs?
- The Four SCC Modules Explained
- How to Choose the Right Module
- Transfer Impact Assessment (TIA)
- Supplementary Measures
- The EU-US Data Privacy Framework
- SCCs vs. Other Transfer Mechanisms
- Step-by-Step SCC Implementation
- SCC Annexes: What to Include
- Common SCC Scenarios
- SCC Compliance Checklist
- Common Mistakes with SCCs
- Frequently Asked Questions
- Related Resources
What Are Standard Contractual Clauses?
Standard Contractual Clauses (SCCs) are pre-approved contractual terms adopted by the European Commission under GDPR Article 46(2)(c). When you transfer personal data from the EU/EEA to a country that doesn't have an adequacy decision (i.e., the European Commission has not determined that the country provides an adequate level of data protection), SCCs provide the legally required safeguards.
SCCs create binding obligations between the data exporter (the party sending data out of the EU) and the data importer (the party receiving data outside the EU). The clauses impose GDPR-equivalent protections on the data importer, including:
- Processing data only for specified purposes
- Implementing appropriate technical and organisational security measures
- Complying with data subject rights requests
- Notifying the exporter of government access requests
- Submitting to EU supervisory authority jurisdiction
- Allowing the exporter to audit the importer's compliance
When Do You Need SCCs?
Decision Tree
Is the data transfer to a country within the EU/EEA?
├── Yes → No transfer mechanism needed
└── No → Does the destination country have an EU adequacy decision?
├── Yes → Transfer permitted under adequacy decision
│ (but verify scope — some adequacy decisions are limited)
└── No → You need a transfer mechanism:
├── SCCs (most common)
├── Binding Corporate Rules (BCRs) — for intra-group transfers
├── Approved code of conduct or certification
└── Derogations (Art. 49) — narrow circumstances only
Countries with EU Adequacy Decisions (as of 2026)
| Country/Territory | Scope |
|---|---|
| Andorra, Argentina, Canada (PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay | Full adequacy |
| United States | EU-US Data Privacy Framework — only for DPF-certified organisations |
All other countries require a transfer mechanism — most commonly SCCs.
The Four SCC Modules Explained
The 2021 SCCs use a modular approach. You select the module that matches your transfer relationship:
| Module | Transfer Relationship | When to Use |
|---|---|---|
| Module 1 | Controller → Controller (C2C) | EU controller transfers data to a non-EU controller |
| Module 2 | Controller → Processor (C2P) | EU controller transfers data to a non-EU processor |
| Module 3 | Processor → Processor (P2P) | EU processor transfers data to a non-EU sub-processor (on behalf of an EU controller) |
| Module 4 | Processor → Controller (P2C) | Non-EU processor transfers data back to a non-EU controller (rare scenario) |
Module 1: Controller to Controller
Scenario: Your EU organisation shares customer data with a non-EU business partner for their own purposes (joint marketing, partnerships, M&A due diligence).
Key features:
- Both parties are independent controllers with their own purposes
- Data importer must comply with GDPR-equivalent requirements
- Data subjects have direct enforcement rights against the importer
Module 2: Controller to Processor
Scenario: Your EU organisation uses a US SaaS platform (CRM, cloud hosting, analytics, email marketing) that processes data on your behalf.
Key features:
- Most common module — covers virtually all SaaS/cloud vendor relationships
- Also serves as the Article 28 data processing agreement (DPA)
- Includes sub-processor management provisions
- Data importer processes data only on the exporter's instructions
Module 3: Processor to Sub-Processor
Scenario: Your EU-based processor (e.g., managed service provider) engages a non-EU sub-processor.
Key features:
- Used in processor chains — the original controller must have authorised the transfer
- The EU processor (data exporter) remains accountable
- Ensures protections flow down through the processing chain
Module 4: Processor to Controller
Scenario: A non-EU entity processes data in the EU (as a processor) and transfers it back to a non-EU controller. This is relatively rare but applies in some outsourcing arrangements.
How to Choose the Right Module
| Your Role | Your Vendor/Partner's Role | Their Location | Module |
|---|---|---|---|
| EU controller | Non-EU controller | Outside EU, no adequacy decision | Module 1 |
| EU controller | Non-EU processor | Outside EU, no adequacy decision | Module 2 |
| EU processor | Non-EU sub-processor | Outside EU, no adequacy decision | Module 3 |
| EU processor | Non-EU controller | Outside EU, no adequacy decision | Module 4 |
Multi-Module Scenarios
Some vendor relationships involve multiple modules. For example, a US SaaS vendor might:
- Process data on your behalf (Module 2 — C2P)
- Use the data for their own analytics or product improvement (Module 1 — C2C)
In such cases, you may need to execute both modules within the same SCC agreement.
Transfer Impact Assessment (TIA)
The Schrems II judgment established that SCCs alone are not sufficient. Before transferring data using SCCs, you must assess whether the legal framework of the destination country allows the data importer to comply with the SCCs.
TIA Steps
| Step | Activity | Output |
|---|---|---|
| 1 | Document the transfer | What data, to whom, where, for what purpose, which SCC module |
| 2 | Identify relevant third-country law | Government surveillance laws, data access powers, privacy protections |
| 3 | Assess whether the law undermines SCCs | Does it allow disproportionate government access? Are there independent oversight and remedies? |
| 4 | Assess practical application | Is the law actually applied to your type of data? Has the importer received government requests? |
| 5 | Determine if supplementary measures are needed | If third-country law undermines protections, identify and implement additional measures |
| 6 | Document the assessment | Written TIA with reasoning and conclusions |
| 7 | Review periodically | Update when third-country law changes or at least annually |
Key Factors in TIA Assessment
| Factor | What to Consider |
|---|---|
| Surveillance law | Does the country have broad government surveillance powers? (e.g., US FISA Section 702, UK IPA) |
| Scope of access | Can government agencies access the specific type of data you're transferring? |
| Safeguards | Are there independent oversight bodies, judicial authorisation requirements, proportionality tests? |
| Remedies | Can data subjects challenge government access (even if they don't know about it)? |
| Practical experience | Has the data importer received government access requests? How frequently? |
| Data type and sensitivity | Is the data of interest to government agencies? (Personal data of EU residents vs. aggregated statistics) |
| Technical measures | Does encryption or pseudonymisation prevent the importer (and government) from accessing data in clear text? |
US-Specific TIA Considerations
The US remains the most common TIA scenario. Key considerations:
| Factor | Assessment |
|---|---|
| FISA Section 702 | Allows intelligence collection from non-US persons; applies to US-based electronic communications service providers |
| Executive Order 12333 | Allows intelligence collection in transit; mitigated by end-to-end encryption |
| EU-US DPF | Provides additional safeguards (including a Data Protection Review Court) for transfers to DPF-certified organisations |
| CLOUD Act | Allows US government to compel US companies to produce data regardless of storage location |
| Practical risk | Assess whether your specific data is likely to be targeted (bulk collection vs. targeted surveillance) |
Supplementary Measures
If your TIA identifies risks, you must implement supplementary measures. The EDPB Recommendations 01/2020 provide guidance:
Technical Measures
| Measure | When Effective |
|---|---|
| End-to-end encryption | Effective if the data importer does not have the decryption keys (e.g., data encrypted before transfer; importer stores encrypted data) |
| Pseudonymisation | Effective if the importer cannot re-identify the data subjects without additional information held separately in the EU |
| Split or multi-party processing | Effective if no single entity outside the EU has access to the complete data set |
| Transport encryption (TLS) | Protects data in transit but not at rest; insufficient alone if importer can access data in clear text |
Organisational Measures
| Measure | Description |
|---|---|
| Transparency reports | Importer publishes reports on government access requests |
| Internal policies | Importer has policies to challenge government requests and notify the exporter |
| Staff training | Importer staff trained on obligations under SCCs |
| Minimisation | Limit the data transferred to what's strictly necessary |
Contractual Measures
| Measure | Description |
|---|---|
| Government access notification | Importer commits to notifying exporter of government access requests (unless legally prohibited) |
| Challenge commitment | Importer commits to challenging overbroad government requests |
| Audit enhancement | Enhanced audit rights beyond standard SCC provisions |
| Data localisation | Importer commits to processing and storing data only in specific locations — for a broader analysis of when localisation is advisable, see our Data Sovereignty in the EU guide |
Important: If no supplementary measures can effectively address the identified risks, you must suspend the transfer. This is the hard reality of Schrems II.
The EU-US Data Privacy Framework
The EU-US Data Privacy Framework (DPF), adopted on 10 July 2023, provides an adequacy decision for transfers to US organisations that are certified under the DPF.
How It Works
| Aspect | Details |
|---|---|
| Self-certification | US organisations voluntarily certify with the US Department of Commerce |
| Commitments | Certified organisations commit to DPF principles (purpose limitation, data minimisation, security, etc.) |
| Redress mechanism | EU individuals can file complaints through a new Data Protection Review Court (DPRC) |
| Scope | Only covers transfers to DPF-certified organisations — not all US companies |
| Verification | Check the DPF List at dataprivacyframework.gov to verify certification |
DPF vs. SCCs
| Factor | EU-US DPF | SCCs |
|---|---|---|
| Legal basis | Adequacy decision (Art. 45) | Appropriate safeguards (Art. 46) |
| Scope | US DPF-certified organisations only | Any country, any organisation |
| TIA required? | No (adequacy decision covers it) | Yes — always |
| Supplementary measures? | No (unless DPF is later invalidated) | If TIA identifies risks |
| Contractual requirement | No additional contract needed for transfer aspect | SCCs must be executed |
| Durability risk | Could be challenged (like Safe Harbor and Privacy Shield before it) | More durable — contractual mechanism |
Practical Recommendation
For transfers to US organisations that are DPF-certified:
- Rely on the DPF adequacy decision as the primary mechanism
- Keep SCCs in place as a backup in case the DPF is later invalidated (as happened with Safe Harbor and Privacy Shield)
- This dual approach provides continuity if the DPF faces legal challenge
SCCs vs. Other Transfer Mechanisms
| Mechanism | Legal Basis | Best For | Limitations |
|---|---|---|---|
| Adequacy decisions | Art. 45 | Transfers to countries with adequacy | Limited number of countries; can be challenged |
| Standard Contractual Clauses | Art. 46(2)(c) | Most international transfers | Requires TIA; potentially supplementary measures |
| Binding Corporate Rules (BCRs) | Art. 47 | Intra-group transfers within multinational corporations | Complex approval process (12–18 months); significant cost; only for intra-group |
| Codes of conduct / Certification | Art. 46(2)(e)/(f) | Industry-specific transfers | Very few approved; limited practical applicability |
| Derogations (Art. 49) | Art. 49 | Occasional, non-repetitive transfers | Narrow conditions; not for systematic transfers |
Step-by-Step SCC Implementation
| Step | Activity | Who |
|---|---|---|
| 1 | Identify all international transfers through data mapping | DPO / Privacy team |
| 2 | Determine the transfer mechanism for each transfer (adequacy, SCCs, BCRs) | DPO / Legal |
| 3 | Select the appropriate SCC module based on the parties' roles | Legal |
| 4 | Complete the Annexes (description of transfer, technical measures, competent authority) | Privacy team + vendor |
| 5 | Conduct a Transfer Impact Assessment for each transfer | DPO / Legal |
| 6 | Identify and implement supplementary measures if TIA identifies risks | Privacy team + IT |
| 7 | Execute the SCCs — signed by both parties | Legal / Procurement |
| 8 | Document the TIA, supplementary measures, and SCC execution | DPO |
| 9 | Monitor for changes in third-country law or recipient circumstances | DPO (ongoing) |
| 10 | Review TIAs and SCCs periodically (at least annually) | DPO / Legal |
SCC Annexes: What to Include
The 2021 SCCs require three annexes:
Annex I: List of Parties and Description of Transfer
| Section | Content |
|---|---|
| I.A: List of parties | Data exporter (name, address, contact, role); Data importer (same) |
| I.B: Description of transfer | Categories of data subjects, categories of personal data, sensitive data (if any), frequency of transfer, nature of processing, purpose, retention period |
| I.C: Competent supervisory authority | Which EU supervisory authority has jurisdiction |
Annex II: Technical and Organisational Measures
| Category | Examples to Include |
|---|---|
| Encryption | Encryption standards (AES-256, TLS 1.2+), key management |
| Access control | MFA, RBAC, privileged access management, regular access reviews |
| Data minimisation | Measures to limit data to what's necessary |
| Pseudonymisation | Techniques used (if applicable) |
| Incident management | Breach detection and notification procedures |
| Logging and monitoring | SIEM, audit logs, retention periods |
| Business continuity | Backup procedures, DR testing |
| Personnel security | Background checks, training, confidentiality agreements |
| Certifications | ISO 27001, SOC 2, etc. |
Annex III: Sub-Processors (Module 2 and 3 Only)
| Field | Content |
|---|---|
| Sub-processor name | Legal entity name |
| Contact details | Address, contact person |
| Description of processing | What processing the sub-processor performs |
| Location | Country where processing takes place |
Common SCC Scenarios
Scenario 1: EU Company Using US SaaS (Salesforce, AWS, Google Cloud)
| Element | Details |
|---|---|
| Module | Module 2 (Controller → Processor) |
| DPF applicable? | Check if the vendor is DPF-certified — most large US tech companies are |
| SCCs needed? | As backup even if DPF applies; required if vendor is not DPF-certified |
| TIA | Assess FISA 702, CLOUD Act risk; consider data type and practical risk |
| Supplementary measures | Encryption at rest (customer-managed keys if available), TLS in transit, access controls |
Scenario 2: EU Company Outsourcing Support to India
| Element | Details |
|---|---|
| Module | Module 2 (Controller → Processor) |
| DPF applicable? | No — India does not have adequacy |
| SCCs required | Yes — mandatory |
| TIA | Assess Indian surveillance law (IT Act 2000); assess practical risk |
| Supplementary measures | Access controls (limited to necessary data), monitoring, contractual commitments |
Scenario 3: EU Processor Using Non-EU Sub-Processor
| Element | Details |
|---|---|
| Module | Module 3 (Processor → Sub-Processor) |
| Controller authorisation | The EU controller must have authorised the sub-processing and the international transfer |
| TIA | The EU processor (as exporter) conducts the TIA |
| Supplementary measures | As determined by TIA |
SCC Compliance Checklist
- All international data transfers identified and documented
- Transfer mechanism determined for each transfer (adequacy, SCCs, BCRs, derogation)
- Correct SCC module selected for each transfer
- 2021 SCCs used (not the old 2010 version)
- All three Annexes completed for each SCC
- Transfer Impact Assessment conducted for each SCC-based transfer
- Supplementary measures identified and implemented where TIA reveals risks
- SCCs executed (signed) by both parties
- TIAs documented and stored
- DPF certification verified (if relying on EU-US DPF)
- Sub-processor list maintained and updated
- Regular review schedule established (at least annually)
- Process in place to suspend transfers if circumstances change
Common Mistakes with SCCs
| # | Mistake | Consequence | Prevention |
|---|---|---|---|
| 1 | Using old (pre-2021) SCCs | Transfers are non-compliant; no valid legal mechanism | Migrate all transfers to 2021 SCCs |
| 2 | Signing SCCs without a TIA | Violates Schrems II requirements; risk of enforcement | Conduct TIA for every SCC-based transfer |
| 3 | Modifying the SCC clauses | Modified SCCs are not "standard" and may not provide valid Art. 46 safeguards | Use the clauses exactly as adopted; add supplementary measures via the annexes |
| 4 | Empty or generic Annexes | Regulators see this immediately; undermines the SCC protections | Complete annexes with specific, detailed information about each transfer |
| 5 | Relying solely on the DPF | DPF could be invalidated (like Safe Harbor and Privacy Shield) | Maintain SCCs as backup for all US transfers |
| 6 | No supplementary measures when TIA requires them | Transfers should be suspended if protections are undermined and no measures can address it | Implement technical, organisational, and contractual measures or suspend the transfer |
| 7 | Not updating TIAs when law changes | Assessment becomes outdated; compliance risk | Monitor third-country legal developments; review TIAs annually |
| 8 | Ignoring sub-processor transfers | Your processor's sub-processor may transfer data to additional countries | Require sub-processor lists; assess and execute SCCs for sub-processor transfers |
Frequently Asked Questions
Do I need SCCs for transfers to the UK after Brexit?
No — the European Commission adopted an adequacy decision for the UK on 28 June 2021, valid for four years (extended/renewed subsequently). However, the UK has its own international transfer mechanism (UK International Data Transfer Agreement and UK addendum to EU SCCs). If you transfer data from the EU to the UK, the adequacy decision covers it. If you transfer from the UK to third countries, you need the UK's transfer mechanisms. For a detailed comparison of the two regimes, see our GDPR vs UK GDPR guide.
Can I use one SCC for multiple transfers to the same vendor?
Yes — you can execute a single SCC agreement covering multiple transfer activities to the same data importer, as long as you list all transfers in Annex I.B. Many organisations execute SCCs as part of a broader DPA that covers all processing activities with a vendor.
How often should I review my TIAs?
At minimum, annually. Additionally, review when: the destination country changes its surveillance or data protection laws, the data importer's circumstances change (e.g., they receive a government access request), your supervisory authority issues new guidance, or the type of data you transfer changes.
Are SCCs required for data stored in an EU data centre by a US company?
This is a nuanced area. If the US company can technically access the data (e.g., for support purposes), it's likely a transfer requiring SCCs. If the data is truly isolated and the US entity cannot access it, SCCs may not be needed — but this must be carefully assessed. The CLOUD Act allows US authorities to compel US companies to produce data regardless of storage location, which complicates the analysis.
What happens if the EU-US DPF is invalidated?
If the DPF is invalidated (as happened with Safe Harbor and Privacy Shield), transfers relying solely on the DPF would lose their legal basis. This is why maintaining SCCs alongside the DPF is recommended — you have a fallback mechanism. You would then need to update your TIA for US transfers and implement supplementary measures appropriate to the post-DPF landscape.
Can I use SCCs for transfers to a country with an adequacy decision?
You can, but it's unnecessary. If a country has an adequacy decision, transfers to that country are permitted without additional mechanisms. However, some organisations use SCCs as an extra layer of contractual protection, particularly if there's concern about the adequacy decision being challenged.
Do SCCs apply to employee data?
Yes — if you transfer employee personal data outside the EU (e.g., to a US parent company's HR system or a non-EU payroll processor), you need a transfer mechanism. For intra-group transfers, BCRs may be more appropriate, but SCCs work as well. Remember that employee consent is generally not a valid legal basis for employment-related data transfers due to the power imbalance.
What is the penalty for non-compliant international transfers?
Under GDPR Article 83(5), infringements of the international transfer provisions (Articles 44–49) are subject to the maximum penalty: up to EUR 20 million or 4% of global annual turnover, whichever is higher. Several supervisory authorities have issued significant fines for international transfer violations — most notably the Irish DPC's EUR 1.2 billion fine against Meta in 2023.
Related Resources
- GDPR Compliance Guide — Complete GDPR guide with international transfers in context
- Data Mapping for GDPR Guide — Data mapping identifies all your international transfers
- Privacy Impact Assessment Guide — DPIAs for high-risk processing involving international transfers
- EU Compliance Playbook for Non-EU Companies — How non-EU companies navigate GDPR requirements including SCCs
Related Articles
- GDPR Compliance: The Complete Guide for Organisations in 2026 — Full guide to GDPR obligations and compliance
- GDPR for US Companies Guide — How GDPR applies to American businesses
- GDPR Representative (Article 27) Guide — Appointing an EU representative for non-EU companies
Conclusion
Standard Contractual Clauses remain the workhorse mechanism for international data transfers under the GDPR. They're flexible, widely accepted, and applicable to virtually any transfer scenario. But since Schrems II, signing SCCs is only the beginning — you must conduct Transfer Impact Assessments, implement supplementary measures where needed, and monitor the legal landscape for changes.
The practical approach: map all your international transfers, execute 2021 SCCs with complete annexes, conduct thorough TIAs, leverage the EU-US DPF where applicable (with SCCs as backup), and review annually.
Need help with international data transfers? Vision Compliance guides organisations through SCC implementation, Transfer Impact Assessments, and supplementary measures — ensuring your international data flows are GDPR-compliant and defensible. Schedule a free consultation →
Sources: GDPR (Regulation 2016/679) Articles 44–49, Commission Implementing Decision (EU) 2021/914, EDPB Recommendations 01/2020 on Supplementary Measures, Schrems II Judgment (C-311/18), EU-US Data Privacy Framework Adequacy Decision (2023)
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.