Standard Contractual Clauses (SCCs) Explained (2026)

Standard Contractual Clauses (SCCs) are pre-approved contractual terms adopted by the European Commission that organizations use to transfer personal data from the European Economic Area (EEA) to countries that lack an EU adequacy decision. They are the most widely used legal mechanism for international data transfers under the GDPR, relied upon by tens of thousands of organizations worldwide.

The current SCCs, adopted on June 4, 2021, replaced earlier versions that predated the GDPR and did not address the concerns raised by the CJEU in its Schrems II ruling. The new clauses introduced a flexible modular system, built-in supplementary measure requirements, and provisions that directly address government surveillance access.

This guide explains the four SCC modules, when to use each one, how to conduct a Transfer Impact Assessment, the relationship between SCCs and the DPF, and the UK's separate transfer mechanisms.

Why the Old SCCs Were Replaced

The European Commission originally adopted two sets of Standard Contractual Clauses for data transfers. The 2001 (updated 2004) set covered controller-to-controller transfers. The 2010 set covered controller-to-processor transfers. Both were adopted under the 1995 Data Protection Directive (95/46/EC) and remained in use after the GDPR took effect in May 2018.

Several problems made replacement necessary. The old SCCs were drafted under the Directive, not the GDPR, and did not reflect the Regulation's expanded requirements around accountability, data breach notification, and data protection by design. They assumed only two parties (an EU data exporter and a non-EU data importer) and did not account for processor-to-processor or processor-to-controller transfer scenarios, which are common in cloud computing and multi-layered service provider relationships.

The CJEU's July 2020 Schrems II ruling (Case C-311/18) added urgency. While the Court upheld the validity of SCCs as a transfer mechanism in principle, it required data exporters to verify that the legal framework in the destination country does not undermine the protections the SCCs provide. If laws in the importing country (such as US surveillance laws) conflict with the SCC obligations, the exporter must implement "supplementary measures" to bridge the gap, or halt the transfer.

The European Data Protection Board (EDPB) issued Recommendations 01/2020 (finalized June 2021) detailing what supplementary measures organizations should consider. The new SCCs incorporate several of these requirements directly into the contractual text.

The Four SCC Modules

The 2021 SCCs use a modular approach. Rather than separate sets of clauses for different scenarios, a single framework contains four modules that parties select based on their roles and the direction of data flow.

Module 1: Controller to Controller (C2C)

Module 1 applies when an EU-based data controller transfers personal data to a controller outside the EEA. Both parties independently determine the purposes and means of processing.

Common scenarios include a European company sharing customer data with a US parent company for its own business purposes, or two companies in a joint marketing arrangement where each controls data independently.

Key obligations under Module 1 include providing data subjects with a copy of the SCCs upon request, applying the data exporter's purpose limitation requirements, and enabling data subjects to enforce clauses as third-party beneficiaries.

Module 2: Controller to Processor (C2P)

Module 2 covers the most common transfer scenario: an EU controller engaging a processor (such as a cloud provider, payroll processor, or analytics service) located outside the EEA. This module aligns with GDPR Article 28 requirements for processor agreements.

The data importer (processor) must process data only on documented instructions from the exporter. It must implement appropriate technical and organizational security measures, assist the controller with data subject rights requests, delete or return all data at the end of the service relationship, and notify the controller without undue delay of any personal data breach.

Sub-processing is permitted only with the controller's prior specific or general written authorization. The processor must impose the same data protection obligations on any sub-processor through a contract.

Module 3: Processor to Processor (P2P)

Module 3 addresses situations where an EU-based processor engages a sub-processor outside the EEA. This scenario is extremely common in cloud infrastructure chains. For example, an EU company uses a German cloud provider (processor), which in turn uses a US-based infrastructure provider (sub-processor).

The data flow runs from one processor to another, but the ultimate controller remains the EU entity that originally engaged the first processor. Module 3 requires the sub-processor to process data only according to the original controller's instructions, as communicated through the first processor.

Module 4: Processor to Controller (P2C)

Module 4 covers the reverse flow: when an EU-based processor returns or transfers data to its controller located outside the EEA. This scenario arises when, for instance, a European data processing service provider transfers results back to its non-EEA client who is the data controller.

This module is less commonly used than the others but fills a genuine gap. Under the old SCCs, no standard clauses existed for this transfer direction, forcing organizations to rely on alternative legal bases or ad hoc contractual arrangements.

Transfer Impact Assessments

The 2021 SCCs require parties to conduct a Transfer Impact Assessment (TIA) before relying on the clauses for data transfers. This requirement is built directly into Clause 14 of the SCCs.

What a TIA Involves

A TIA evaluates whether the laws and practices of the destination country provide a level of protection "essentially equivalent" to that guaranteed under EU law. The assessment must consider:

• The specific circumstances of the transfer, including the nature of the data, the purpose, the length of the processing chain, and the categories of recipients
• The laws of the destination country relevant to the transfer, particularly those governing government access to personal data for surveillance or law enforcement purposes
• Any relevant contractual, technical, or organizational safeguards in place to supplement the SCCs

The EDPB's Recommendations 01/2020 outline a six-step process for conducting TIAs:

1. Map your data transfers
2. Identify the transfer mechanism (SCCs in this case)
3. Assess whether the destination country's legal framework impairs the effectiveness of the transfer mechanism
4. Identify and adopt supplementary measures if needed
5. Take any procedural steps required by the supplementary measures
6. Re-evaluate at appropriate intervals

Supplementary Measures

When a TIA identifies risks, organizations must implement supplementary measures to restore the level of protection to an "essential equivalence" standard. These fall into three categories:

Technical measures include end-to-end encryption (where only the data exporter holds the decryption key), pseudonymization (where the mapping table stays in the EEA), and split or multi-party processing that prevents the importer from accessing data in the clear.

Contractual measures involve strengthening obligations beyond the SCC baseline. Examples include requiring the data importer to challenge government access requests through all available legal avenues, to notify the exporter of any legally binding request for data disclosure (to the extent permitted by law), and to provide periodic transparency reports.

Organizational measures include internal data governance policies, minimizing data transferred to what is strictly necessary, adopting strict access controls on the importer's side, and conducting regular audits.

The EDPB has emphasized that contractual and organizational measures alone cannot compensate for deficiencies in the destination country's legal framework if the government can compel access to data in the clear. Technical measures that prevent access to readable data are the most effective safeguard in high-risk jurisdictions.

How to Implement SCCs

Organizations implementing SCCs should follow a structured process to ensure compliance.

Step 1: Determine Applicable Modules

Map all international data transfers and identify the roles of each party. Select the appropriate module(s) for each transfer. A single SCC agreement can incorporate multiple modules if the parties have different roles for different processing activities.

Step 2: Complete the Annexes

The SCCs include several annexes that must be populated with transfer-specific details:

• Annex I: Describes the parties, the data transfer (categories of data subjects, types of personal data, frequency of transfer, purpose), and identifies the competent supervisory authority
• Annex II: Lists the technical and organizational security measures the data importer implements
• Annex III: Lists authorized sub-processors (for Modules 2 and 3, if the controller grants general authorization)

Step 3: Conduct the Transfer Impact Assessment

Complete the TIA before beginning transfers. Document the assessment and retain it as part of your accountability records under GDPR Article 5(2).

Step 4: Implement Supplementary Measures

Based on the TIA findings, adopt and document any necessary supplementary measures. Integrate technical measures into your data processing architecture.

Step 5: Execute and Integrate

The SCCs can be incorporated into a broader commercial contract or executed as a standalone agreement. Third parties may accede to the SCCs at any time with the agreement of all existing parties, a feature called the "docking clause" that was new in the 2021 version.

Step 6: Monitor and Reassess

The obligation to ensure adequate protection is ongoing. Organizations must reassess their TIAs when circumstances change, such as new legislation in the destination country, changes to the data importer's sub-processing arrangements, or new government surveillance programs coming to light.

Relationship Between SCCs and the DPF

SCCs and the EU-US Data Privacy Framework (DPF) serve the same fundamental purpose (enabling lawful data transfers from the EU) but operate through different legal mechanisms.

The DPF provides an adequacy-based transfer route for data sent to certified US organizations. See our complete guide to EU adequacy decisions for the full list of countries. When a US company holds active DPF certification, EU organizations can transfer data to it without SCCs, just as they would to a company in an adequate country.

SCCs provide a contractual-based transfer route that works for any country, regardless of adequacy status. They are the primary mechanism for transfers to countries without an adequacy decision, including most of Asia, Africa, Latin America, and the Middle East.

Many organizations use both mechanisms simultaneously. A company might rely on the DPF for transfers to its certified US service providers while using SCCs for transfers to processors in India, the Philippines, or Brazil. Some organizations also maintain SCCs with their DPF-certified US partners as a backup, given the history of invalidated transatlantic frameworks.

The two mechanisms are legally independent. If the DPF were invalidated (as its predecessors were), existing SCC arrangements would remain valid, provided the accompanying TIA and supplementary measures are up to date.

UK International Data Transfer Mechanisms

Following Brexit, the UK established its own framework for international data transfers under the UK GDPR and Data Protection Act 2018. EU SCCs cannot be used for transfers governed by UK law.

The International Data Transfer Agreement (IDTA)

The UK Information Commissioner's Office (ICO) approved the International Data Transfer Agreement (IDTA) in March 2022. The IDTA is a standalone contract, similar in function to the EU SCCs but drafted to align with UK law. It uses a single document with a detailed table format rather than a modular approach.

The UK Addendum

As an alternative to the IDTA, organizations can use the UK Addendum to the EU SCCs. This addendum attaches to a set of EU SCCs and adapts them for UK law purposes. This approach is popular with organizations that already have EU SCCs in place, since it avoids the need for a separate contract.

Transfer Risk Assessments

The ICO requires organizations to conduct a Transfer Risk Assessment (TRA) before relying on either the IDTA or the UK Addendum. The TRA is broadly similar to the EU TIA but follows ICO-specific guidance. The ICO has published a detailed TRA tool to help organizations complete the assessment.

UK-US Data Bridge

For transfers specifically to the United States, the UK established the UK Extension to the Data Privacy Framework (UK-US Data Bridge) in October 2023, providing an adequacy-based route parallel to the EU DPF.

Common Implementation Challenges

Organizations frequently encounter practical difficulties when implementing SCCs. Understanding these challenges helps avoid compliance gaps.

Multi-Layered Processing Chains

Modern data processing often involves multiple layers of processors and sub-processors across several countries. A single SCC agreement may need to incorporate multiple modules, and separate SCCs may be needed at different points in the chain. Mapping these relationships accurately before selecting modules is critical.

Keeping TIAs Current

The legal landscape in destination countries changes. New surveillance legislation, court rulings, or government practices can alter the risk profile of a transfer. Organizations must have a process for monitoring relevant legal developments and updating their TIAs accordingly.

Sub-Processor Management

Modules 2 and 3 require managing sub-processor relationships carefully. When using general authorization (rather than specific authorization for each sub-processor), the processor must inform the controller of any intended changes to sub-processors, giving the controller the opportunity to object.

Enforceability Concerns

SCCs are contractual in nature. If a data importer in a country with weak rule of law breaches the clauses, enforcement may be difficult in practice. Organizations should factor the importer's legal system and the practical enforceability of contractual obligations into their TIA.

This is general legal information, not legal advice. Organizations implementing SCCs or other cross-border transfer mechanisms should consult an attorney for advice specific to their situation.

Sources and References