Understanding Standard Contractual Clauses (SCCs) for GDPR Compliance

Standard Contractual Clauses (SCCs) are clauses drafted by the European Commission to help ensure GDPR compliance when transferring personal data outside the European Economic Area (EEA).

This article explains how SCCs work, when and how to use them, and how to implement and monitor your organisation’s SCCs in a GDPR-compliant way.

What are Standard Contractual Clauses (SCCs)?

The GDPR’s data protection standards are among the strongest in the world. However, data is fluid, and the internet transcends national borders and legal jurisdictions.

The GDPR doesn’t require that personal data is stored exclusively in the EU. “International data transfers” are very common. But they must comply with Chapter V of the GDPR.

Chapter V of the GDPR provides several ways to conduct an international data transfer:

1. If the destination country has an “adequacy decision” from the European Commission (Article 45)
2. If you use one of the GDPR’s “transfer mechanisms” (Article 46)
3. If a “derogation” (exception) applies (Article 49)

SCCs are one of the “transfer mechanisms” set out at Article 46 of the GDPR (item 2, above), and they’re the most common way to conduct an international data transfer to organisations in countries without an adequacy decision.

A contract containing SCCs binds the data “importer” (located outside the EEA) to the GDPR’s principles, rights, and obligations. In other words, the importer will be legally required to uphold EU standards when processing the personal data they import from the EEA.

Key Components of the Modernised SCCs

The EU’s latest set of SCCs appear in Commission Implementing Decision (EU) 2021/914. Here’s a quick tour of the legislation so you know what you’re signing up to before implementing the SCCs.

Section I: General Introductory Provisions

Section 1’s clauses introduce the SCCs, explaining key aspects such as:

• Their purpose (ensuring GDPR compliance)
• The parties to the transfer (the data exporter and importer)
• Third-party beneficiaries of the contract (data subjects, who can enforce the SCCs against the parties)

Section 1 also includes an optional “docking clause” (Clause 7), which allows new parties to join the contract after it has been signed.

Section II: Obligations of the Parties

Section II sets out the requirements on the exporter and (more significantly) the importer with respect to the personal data being transferred.

The SCCs impose the following obligations, among others:

• Data minimisation: Both parties must ensure that the personal data processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• Transparency: Data exporters must provide clear and comprehensive information about the transfer, including its purpose, the categories of personal data involved, and how data subjects can exercise their rights.
• Data security: Both parties must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
• Sub-processors: Data importers must obtain prior specific or general written authorisation from the data exporter before engaging any sub-processor. Additionally, sub-processors must be bound by the same data protection obligations as those stipulated in the SCCs.
• Data subject rights: Parties must work together to uphold the rights of data subjects.

This section of the SCCs is “modular”: Not all clauses are relevant to every transfer scenario, and only the relevant clauses will form part of the contract. We’ll look at the modular nature of the SCCs below.

Section III: Local Laws and Access by Public Authorities

An important reason for SCCs is to protect personal data from access by non-EEA public authorities (such as law enforcement and intelligence agencies).

By signing the SCCs, the parties warrant that they have no reason to believe that public authorities in the importer’s country will force them to violate the SCCs.

For example, the SCCs may prohibit the importer from giving local police force access to personal data without a warrant. In some countries, the importer may refuse such an order. In others, refusing such an order might be legally or practically impossible.

Before signing the SCCs and warranting that such a scenario will not occur, the parties must consider:

• The specific circumstances of the transfer (e.g., what types of data are involved, and what technologies are used to share the data).
• The laws and practices of the third country (e.g., laws that allow public authorities to intercept data, and whether public authorities obey such laws in reality).
• The “contractual, technical, and organisational safeguards” put in place to prevent public authorities from accessing the data.

The process for considering these factors is known as a “Transfer Impact Assessment” (TIA). According to the European Data Protection Board (EDPB), exporters and importers should conduct a TIA before relying on SCCs to ensure that they will effectively protect the personal data in question. 

We’ll provide some resources on TIAs toward the end of this article.

Section III of the SCCs also requires the data importer to notify the data exporter if a public authority requests access to the data and to challenge any request that would violate the SCCs, where appropriate.

Section IV: Non-Compliance, Termination, and Governing Law

Section IV of the SCCs explains what happens if either party violates the SCCs or if the importer discovers that it cannot fulfil its obligations under the SCCs. The data exporter may terminate the contract early if the importer fails to comply with an order from an EEA-based regulator.

This section also allows the parties to agree on which country’s laws will govern the interpretation of the SCCs and handle any legal disputes arising from the transfer.

Understanding the Four Modules of SCCs

As noted, the SCCs are “modular”. This means some transfers are covered by some parts of the SCCs but not others.

There are four SCC modules covering four distinct scenarios, depending on which party is a controller and which is a processor. Here are some examples of when each module is appropriate.

Module 1: Controller to Controller (C2C)

Module 1 is for transfers from a controller to another controller. For example:

• Exporter: German consultancy
• Importer: US market research company

A German consultancy collects its clients’ feedback through surveys and analyses the data for its own purposes. 

Where it has its users’ consent, the German company shares data with a US market research company, which uses the data for its own purposes.

Both companies are controllers and they use Module 1 SCCs to facilitate the data transfer.

Module 2: Controller to Processor (C2P)

Module 2 applies when a controller transfers data to a processor. For example:

• Exporter: Polish retailer
• Importer: Brazilian analytics company

A Polish retailer wants to analyse user activity on its website. The retailer engages a Brazilian analytics provider to analyse the data on its behalf.

The Polish retailer is a controller and the Brazilian analytics company is a processor. The companies use Module 2 SCCs to facilitate the data transfer.

Module 3: Processor to Processor (P2P)

Module 3 applies when a processor transfers data to another processor (or a subprocessor). For example:

• Exporter: Spanish email marketing company
• Importer: South African data security provider

A Spanish email marketing company manages email lists on behalf of its customers. The Spanish company engages a South African data security provider to secure the email lists against cybersecurity incidents.

The Spanish email marketing company is a processor, and the South African data security provider is its subprocessor. The companies use Module 3 SCCs to facilitate the data transfer.

Module 4: Processor to Controller (P2C)

Module 4 covers a slightly obscure scenario: An EEA-based processor obtains personal data from a non-EEA-based controller and returns the personal data to the controller. For example:

• Exporter: Italian data analytics provider
• Importer: Egyptian retailer

An Italian data analytics provider is engaged by an Egyptian retailer to analyse the behaviour of shoppers at its online store. The Egyptian retailer exports personal data to the Italian company for analysis. 

The Egyptian retailer is a controller. The Italian analytics provider is a processor, but it’s still covered by the GDPR, so it must comply with Chapter V of the GDPR when transferring the analysed personal data back to the Egyptian retailer. The companies use Module 4 SCCs to facilitate the transfer.

Note: Although the UK’s version of the GDPR is practically identical to the EU’s, the UK regulator does not recognise this scenario as an international data transfer. Only subject to the EU GDPR need to use SCCs in this scenario. Read more in our article on UK International Data Transfer Agreements (IDTAs).

How to Implement Standard Contractual Clauses (SCCs)

We’ve looked at what the SCCs are and how they work. Next up, here are a few tips to help you put the SCCs in place.

Identify and map your data transfers

Before implementing SCCs, you must identify whether you are conducting an international data transfer and map out the destinations of the personal data (including whether the importer will conduct “onward transfers” to another third country).

As noted, an international data transfer requires two parties: an importer (based in the EEA and subject to the GDPR) and an importer (outside the EEA). 

You should maintain a comprehensive map of every international data transfer relevant to your organisation.

Assess whether SCCs are effective

This part of the international data transfer process is arguably the most challenging and is known as a “Transfer Impact Assessment” (TIA).

A TIA is required before conducting an international data transfer because SCCs are just a contract—they do not always prevent non-EEA authorities from demanding or obtaining the personal data and violating people’s data protection rights.

As such, the exporter (ideally with the assistance of the importer) must assess the laws and practices of the importer’s jurisdiction to ensure this won’t happen in a way that undermines people’s data protection rights.

For example: Does the importing country’s law allow the intelligence services to intercept data from undersea cables? If not, do the intelligence services intercept data anyway? Or can law enforcement authorities demand personal data from businesses without proper court oversight?

Adopt supplementary measures

Next, the exporter should consider putting “technical or organisational measures” in place to ensure effective protection of the personal data being transferred.

• A technical measure might involve encrypting the personal data to ensure that the importer cannot disclose it to law enforcement authorities. 
• An organisational measure might involve ensuring that the importer has adequate data protection training, policies, or certifications in place.

If no effective technical or organisational measures are possible, you might need to consider whether you can legally conduct the international data transfer.

Negotiate and sign the SCCs

The SCCs form part of a contract between the exporter and importer—the contract must be agreed and signed before the transfer takes place.

The parties cannot modify or exclude any of the SCC’s mandatory clauses. However, some elements of the SCCs are optional (such as the “docking clause”), and the importer and exporter may negotiate the security controls or commercial aspects of the transfer.

Re-evaluate at appropriate intervals

As with most data protection compliance activities, implementing SCCs is not a “one and done” exercise—you must review the international data transfer arrangement at “approrpriate intervals” and ensure that the SCCs are still an effective data protection tool.

If the law changes in the importer’s jurisdiction, an authoritarian government takes power, or a new technology undermines the agreed technical safeguards, SCCs might no longer be effective or appropriate. Keeping SCCs under review will help avoid such eventualities.

The parties might formally agree to a review period, or the exporter might decide to review its SCCs regularly (e.g. once per year). Riskier data transfers require more frequent re-evaluation.

Frequently Asked Questions about Standard Contractual Clauses

What are the penalties for not using SCCs for international data transfers?

Failing to implement SCCs can violate the GDPR’s international data transfer rules and attract the highest tier of penalties: Up to 4% of global annual turnover or up to €20 million (whichever is higher).

In August 2024, Uber received a €290 million fine from the Dutch Data Protection Authority (DPA) after transferring personal data between its EU and US entities without SCCs (or any other transfer mechanism) in place.

Can SCCs be used for data transfers within the same country?

Yes, in some circumstances. Recital 111 refers to the possibility of “onward transfers of personal data from the third country… to controllers, processors in the same or another third country.”

For example:

• A French retailer transfers personal data to a Brazilian analytics provider using SCCs.
• The Brazilian analytics provider wishes to share the data with a Brazilian email marketing company.

This arrangement could constitute an “onward transfer” for which SCCs might provide a suitable safeguard—despite the fact that both companies are in Brazil.

How often should SCCs be reviewed and updated?

The GDPR and surrounding regulatory guidance don’t provide a definitive timeframe for reviewing SCCs. As noted, the parties might agree to a regular review period when negotiating the SCCs. Generally, riskier data transfers involving sensitive data will require more frequent reviews.

What is the difference between SCCs and Binding Corporate Rules (BCRs)?

While any organisation subject to the GDPR can consider using SCCs to facilitate an international data transfer, Binding Corporate Rules (BCRs) are exclusively used by international enterprises transferring personal data across legal entities within a corporate group.

BCRs also require approval by a Data Protection Authority (DPA)—a process that can be expensive and time-consuming.

As such, BCRs are normally appropriate for large, well-resourced businesses, whereas organisations of any size can rely on SCCs.

Best Practices for Using SCCs Effectively

Take the following steps to help ensure you use SCCs effectively:

• Know your transfers: Ensure every relevant person in your team can recognise an international data transfer that requires the implementation of SCCs.
• Assess whether SCCs “work”: Before implementing SCCs, ensure they can adequately protect the data you’re transferring. If not, consider other options—including not conducting the transfer.
• Implement supplementary measures: Beyond the contractual protections provided via SCCs, put “technical and organisational measures” in place to safeguard the personal data.
• Use the correct modules: Consider which SCC module is appropriate in the circumstances, and ensure the contract includes all the necessary clauses.
• Keep SCCs under review: Set a regular review period to ensure your SCCs remain effective and up-to-date in light of changing circumstances and legal requirements.

Further Reading and Resources on Standard Contractual Clauses

• Standard contractual clauses for international transfers: Looking for the actual clauses to copy into your contract? This page of the European Commission’s website hosts the SCCs in various formats.
• Adequacy decisions: Before considering SCCs or any other data transfer mechanism, check the European Commission’s list of “adequacy decisions”—you might not need to use SCCs at all.
• EDPB Recommendations 01/2020: Adopted after the Schrems II case disrupted data flows from Europe to the US, the EDPB’s recommendations break the data transfer process down into six essential steps.
• Transfers of Personal Data to Third Countries or International Organisations: This article from the Irish Data Protection Commission (DPC) provides some relatively user-friendly official guidance on using SCCs and other transfer mechanisms.