Standard Contractual Clauses (SCCs) Explained (2026)

Standard Contractual Clauses (SCCs) are pre-approved contractual terms adopted by the European Commission that organizations use to transfer personal data from the European Economic Area (EEA) to countries without an EU adequacy decision. They are the most widely used legal mechanism for international data transfers under the GDPR, relied upon by tens of thousands of organizations worldwide.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer.

The current SCCs, adopted on June 4, 2021, replaced earlier versions that predated the GDPR and did not address the concerns raised by the CJEU in its Schrems II ruling. The 2021 clauses introduced a flexible modular system, built-in supplementary measure requirements, and provisions that directly address government surveillance access.

This guide covers the four SCC modules, when to use each one, how to conduct a Transfer Impact Assessment, the pending new SCCs for GDPR-subject importers, how SCCs compare to adequacy decisions and Binding Corporate Rules, the UK's separate transfer tools, recent enforcement developments, and common implementation pitfalls.

Jurisdiction scope: This article addresses Standard Contractual Clauses under EU Regulation 2016/679 (GDPR) and UK GDPR, including the UK Data (Use and Access) Act 2025. It covers the four SCC modules (2021 Implementing Decision), the EDPB's supplementary measures guidance, and the UK IDTA and Addendum. For the list of countries with EU adequacy decisions, see our EU adequacy decisions guide. For the EU-US Data Privacy Framework specifically, see our DPF guide.

Quick Answer: What Are SCCs and When Do You Need Them?

Standard Contractual Clauses are pre-approved contractual terms under GDPR Article 46(2)(c) that create binding data protection obligations between an EU-based data exporter and a non-EU data importer. Organizations need SCCs whenever they transfer personal data from the EEA to a country that lacks an EU adequacy decision and no other Article 46 transfer mechanism applies. Common scenarios include EU companies using cloud service providers based in the United States, India, or other non-adequate countries, EU controllers engaging processors in Asia-Pacific or Latin America, and EU-based processors routing data to sub-processors outside the EEA. The obligation to use SCCs (or an alternative transfer mechanism) is strict: transferring personal data to a non-adequate country without a valid legal basis under GDPR Chapter V is a potential violation subject to fines of up to 20 million euros or 4% of global annual turnover.

Why the Old SCCs Were Replaced

The European Commission originally adopted two sets of Standard Contractual Clauses for data transfers. The 2001 (updated 2004) set covered controller-to-controller transfers. The 2010 set covered controller-to-processor transfers. Both were adopted under the 1995 Data Protection Directive (95/46/EC) and remained in use after the GDPR took effect in May 2018.

Several problems made replacement necessary. The old SCCs were drafted under the Directive, not the GDPR, and did not reflect the Regulation's expanded requirements around accountability, data breach notification, and data protection by design. They assumed only two parties (an EU data exporter and a non-EU data importer) and did not account for processor-to-processor or processor-to-controller transfer scenarios, which are common in cloud computing and multi-layered service provider relationships.

The CJEU's ruling in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18, ECLI:EU:C:2020:559 (16 July 2020) (commonly called Schrems II) added urgency. While the Court upheld the validity of SCCs as a transfer mechanism in principle, it required data exporters to verify that the legal framework in the destination country does not undermine the protections the SCCs provide. If laws in the importing country (such as US surveillance laws) conflict with the SCC obligations, the exporter must implement "supplementary measures" to bridge the gap, or halt the transfer.

The European Data Protection Board (EDPB) issued Recommendations 01/2020 (finalized June 2021) detailing what supplementary measures organizations should consider. The new SCCs incorporate several of these requirements directly into the contractual text.

The Four SCC Modules

The 2021 SCCs use a modular approach. Rather than separate sets of clauses for different scenarios, a single framework contains four modules that parties select based on their roles and the direction of data flow.

Module 1: Controller to Controller (C2C)

Module 1 applies when an EU-based data controller transfers personal data to a controller outside the EEA. Both parties independently determine the purposes and means of processing.

Common scenarios include a European company sharing customer data with a US parent company for its own business purposes, or two companies in a joint marketing arrangement where each controls data independently.

Key obligations under Module 1 include providing data subjects with a copy of the SCCs upon request, applying the data exporter's purpose limitation requirements, and enabling data subjects to enforce clauses as third-party beneficiaries.

Module 2: Controller to Processor (C2P)

Module 2 covers the most common transfer scenario: an EU controller engaging a processor (such as a cloud provider, payroll processor, or analytics service) located outside the EEA. This module aligns with GDPR Article 28 requirements for processor agreements.

The data importer (processor) must process data only on documented instructions from the exporter. It must implement appropriate technical and organizational security measures, assist the controller with data subject rights requests, delete or return all data at the end of the service relationship, and notify the controller without undue delay of any personal data breach.

Sub-processing is permitted only with the controller's prior specific or general written authorization. The processor must impose the same data protection obligations on any sub-processor through a contract.

Module 3: Processor to Processor (P2P)

Module 3 addresses situations where an EU-based processor engages a sub-processor outside the EEA. This scenario is extremely common in cloud infrastructure chains. For example, an EU company uses a German cloud provider (processor), which in turn uses a US-based infrastructure provider (sub-processor).

The data flow runs from one processor to another, but the ultimate controller remains the EU entity that originally engaged the first processor. Module 3 requires the sub-processor to process data only according to the original controller's instructions, as communicated through the first processor.

Module 4: Processor to Controller (P2C)

Module 4 covers the reverse flow: when an EU-based processor returns or transfers data to its controller located outside the EEA. This scenario arises when, for instance, a European data processing service provider transfers results back to its non-EEA client who is the data controller.

This module is less commonly used than the others but fills a genuine gap. Under the old SCCs, no standard clauses existed for this transfer direction, forcing organizations to rely on alternative legal bases or ad hoc contractual arrangements.

How to Use the Modular SCCs

Organizations implementing SCCs should follow a structured process to ensure compliance.

Step 1: Determine Applicable Modules

Map all international data transfers and identify the roles of each party. Select the appropriate module(s) for each transfer. A single SCC agreement can incorporate multiple modules if the parties have different roles for different processing activities.

Step 2: Complete the Annexes

The SCCs include several annexes that must be populated with transfer-specific details:

• Annex I: Describes the parties, the data transfer (categories of data subjects, types of personal data, frequency of transfer, purpose), and identifies the competent supervisory authority
• Annex II: Lists the technical and organizational security measures the data importer implements
• Annex III: Lists authorized sub-processors (for Modules 2 and 3, if the controller grants general authorization)

Step 3: Conduct the Transfer Impact Assessment

Complete the TIA before beginning transfers. Document the assessment and retain it as part of your accountability records under GDPR Article 5(2).

Step 4: Implement Supplementary Measures

Based on the TIA findings, adopt and document any necessary supplementary measures. Integrate technical measures into your data processing architecture.

Step 5: Execute and Integrate

The SCCs can be incorporated into a broader commercial contract or executed as a standalone agreement. Third parties may accede to the SCCs at any time with the agreement of all existing parties; this feature is called the "docking clause" and was new in the 2021 version.

Step 6: Monitor and Reassess

The obligation to ensure adequate protection is ongoing. Organizations must reassess their TIAs when circumstances change, such as new legislation in the destination country, changes to the data importer's sub-processing arrangements, or new government surveillance programs coming to light.

Transfer Impact Assessments and Supplementary Measures

The 2021 SCCs require parties to conduct a Transfer Impact Assessment (TIA) before relying on the clauses for data transfers. This requirement is built directly into Clause 14 of the SCCs.

What a TIA Involves

A TIA evaluates whether the laws and practices of the destination country provide a level of protection "essentially equivalent" to that guaranteed under EU law. The assessment must consider:

• The specific circumstances of the transfer, including the nature of the data, the purpose, the length of the processing chain, and the categories of recipients
• The laws of the destination country relevant to the transfer, particularly those governing government access to personal data for surveillance or law enforcement purposes
• Any relevant contractual, technical, or organizational safeguards in place to supplement the SCCs

The EDPB's Recommendations 01/2020 outline a six-step process for conducting TIAs:

1. Map your data transfers
2. Identify the transfer mechanism (SCCs in this case)
3. Assess whether the destination country's legal framework impairs the effectiveness of the transfer mechanism
4. Identify and adopt supplementary measures if needed
5. Take any procedural steps required by the supplementary measures
6. Re-evaluate at appropriate intervals

Supplementary Measures

When a TIA identifies risks, organizations must implement supplementary measures to restore the level of protection to an "essential equivalence" standard. These fall into three categories:

Technical measures include end-to-end encryption (where only the data exporter holds the decryption key), pseudonymization (where the mapping table stays in the EEA), and split or multi-party processing that prevents the importer from accessing data in the clear.

Contractual measures involve strengthening obligations beyond the SCC baseline. Examples include requiring the data importer to challenge government access requests through all available legal avenues, to notify the exporter of any legally binding request for data disclosure (to the extent permitted by law), and to provide periodic transparency reports.

Organizational measures include internal data governance policies, minimizing data transferred to what is strictly necessary, adopting strict access controls on the importer's side, and conducting regular audits.

The EDPB has emphasized that contractual and organizational measures alone cannot compensate for deficiencies in the destination country's legal framework if the government can compel access to data in the clear. Technical measures that prevent access to readable data are the most effective safeguard in high-risk jurisdictions.

Watch out: Enforcement actions show that SCCs executed without rigorous TIAs create substantial compliance risk. The Irish DPA issued a 1.2 billion euro fine against Meta in May 2023, following EDPB Binding Decision 1/2023, for transferring Facebook user data to the US via SCCs without supplementary measures sufficient to compensate for the inadequate protection provided by US law. The Dutch DPA imposed a 290 million euro fine on Uber in 2024 for transferring drivers' data to the US without a valid transfer mechanism. Supervisory authorities treat inadequate TIAs and missing supplementary measures as substantive violations, not procedural deficiencies.

The Pending SCCs for GDPR-Subject Importers

The 2021 SCCs have a significant limitation: they apply only to transfers where the data importer's processing is NOT subject to the GDPR. By their own terms, the clauses govern transfers from an EU/EEA data exporter to a data importer "whose processing of the data is not subject to [the GDPR]."

This creates a gap. A company based in Canada, Japan, or Brazil may have processing activities that fall within GDPR's territorial scope under Article 3(2) because it targets goods or services to EU residents or monitors their behavior. When an EU entity transfers personal data to such a company, a transfer mechanism under GDPR Chapter V is still required. The cross-border transfer creates risks even when the importer is directly bound by the GDPR in its processing activities. Yet the 2021 SCCs are structurally unsuitable for this scenario because they would partly duplicate and partly deviate from obligations the importer already holds under the GDPR directly.

The EDPB called on the European Commission to develop new SCCs covering exactly this scenario. The Commission acknowledged the gap and announced development of a new SCC set. A public consultation was planned for Q4 2024, with a draft for adoption targeted in Q2 2025.

As of May 2026, the Commission's official SCC publications page does not list a formally adopted implementing decision for these Article 3(2) SCCs. Organizations facing this scenario currently have limited options: Binding Corporate Rules (within corporate groups), ad hoc contractual clauses approved by a supervisory authority under Article 46(3)(a), or relying on the Article 49 derogations where applicable. The Dutch DPA's fine against Uber highlighted the real enforcement risk of proceeding with transfers to GDPR-subject importers without a recognized mechanism.

Organizations should monitor the Commission's SCCs page for the formal adoption of these clauses.

SCCs, Adequacy Decisions, and Binding Corporate Rules Compared

GDPR Chapter V provides several mechanisms for lawful international data transfers. The three most commonly used are adequacy decisions (Article 45), Standard Contractual Clauses (Article 46(2)(c)), and Binding Corporate Rules (Article 47).

For most organizations, SCCs are the default mechanism for transfers to non-adequate countries. Adequacy decisions are simpler where available but limited by geography. BCRs are powerful for large multinationals with substantial intra-group transfer volumes but impractical for small organizations or external transfers.

Relationship Between SCCs and the EU-US Data Privacy Framework

SCCs and the EU-US Data Privacy Framework (DPF) serve the same fundamental purpose (enabling lawful data transfers from the EU) but operate through different legal mechanisms.

The DPF provides an adequacy-based transfer route for data sent to certified US organizations. When a US company holds active DPF certification, EU organizations can transfer data to it without SCCs, just as they would transfer to a company in an adequate country. See our complete guide to EU adequacy decisions for the full list of countries.

SCCs provide a contractual-based transfer route that works for any country, regardless of adequacy status. They are the primary mechanism for transfers to countries without an adequacy decision, including most of Asia, Africa, Latin America, and the Middle East.

Many organizations use both mechanisms simultaneously. A company might rely on the DPF for transfers to its certified US service providers while using SCCs for transfers to processors in India, the Philippines, or Brazil. Some organizations maintain SCCs with DPF-certified US partners as a backup, given the history of invalidated transatlantic frameworks.

DPF Legal Status as of May 2026

The DPF has faced legal challenge. On September 3, 2025, the EU General Court dismissed an annulment action brought by French MEP Philippe Latombe, confirming the DPF's validity based on the facts at the time of the Commission's 2023 adequacy determination. The court rejected Latombe's arguments that the US Data Protection Review Court lacks independence and that bulk surveillance lacks sufficient ex post judicial review. Latombe filed an appeal to the CJEU on October 31, 2025; that appeal is currently pending.

A separate question concerns executive actions by the US administration. The case Trump v. Slaughter was scheduled for a ruling by June or July 2026, with potential implications for the US privacy framework that underpins the DPF.

Organizations relying solely on the DPF for US transfers should monitor these proceedings. The SCCs-plus-supplementary-measures approach provides a backup that would remain valid even if the DPF were invalidated, as it was with the Privacy Shield in 2020.

UK International Data Transfer Mechanisms

Following Brexit, the UK established its own framework for international data transfers under the UK GDPR and Data Protection Act 2018. EU SCCs cannot be used for transfers governed by UK law.

The International Data Transfer Agreement (IDTA)

The UK Information Commissioner's Office (ICO) approved the International Data Transfer Agreement (IDTA) in March 2022. The IDTA is a standalone contract, similar in function to the EU SCCs but drafted to align with UK law. It uses a single document with a detailed table format rather than a modular approach.

The UK Addendum

As an alternative to the IDTA, organizations can use the UK Addendum to the EU SCCs. This addendum attaches to a set of EU SCCs and adapts them for UK law purposes. This approach is popular with organizations that already have EU SCCs in place, since it avoids the need for a separate contract.

Transfer Risk Assessments

The ICO requires organizations to conduct a Transfer Risk Assessment (TRA) before relying on either the IDTA or the UK Addendum. The TRA is broadly similar to the EU TIA but follows ICO-specific guidance. The ICO has published a detailed TRA tool to help organizations complete the assessment.

The Data (Use and Access) Act 2025 and Updated ICO Guidance

The UK's Data (Use and Access) Act (DUAA) received Royal Assent on June 19, 2025. Schedule 7 of the DUAA amended the standard for international transfers. The protection required is now described as "not materially lower" than the standard under UK GDPR and the DPA 2018, referred to as the "data protection test." This replaced the previous standard of "not undermined."

The ICO published updated international transfers guidance on January 15, 2026, restructuring its existing guides and incorporating the DUAA's new language. The ICO has indicated that it plans to update the IDTA and Addendum during 2026 to reflect DUAA amendments. Organizations should continue using the current IDTA and Addendum versions until those updates are published.

UK-US Data Bridge

For transfers specifically to the United States, the UK established the UK-US Data Bridge in October 2023, providing an adequacy-based route parallel to the EU-US DPF. The UK's adequacy decisions for EEA-to-UK transfers were renewed by the European Commission on December 19, 2025, valid until December 27, 2031.

Note for EEA-to-UK transfers: Organizations in the EU transferring personal data to recipients in the UK do not need SCCs for those transfers. The European Commission's adequacy decision for the UK covers EEA-to-UK transfers. SCCs are needed for the reverse direction (UK-to-EU transfers) and for UK-to-non-adequate-country transfers under UK law.

Common SCC Mistakes

Organizations frequently encounter practical difficulties when implementing SCCs. Understanding these challenges helps avoid compliance gaps.

Multi-Layered Processing Chains

Modern data processing often involves multiple layers of processors and sub-processors across several countries. A single SCC agreement may need to incorporate multiple modules, and separate SCCs may be needed at different points in the chain. Mapping these relationships accurately before selecting modules is critical.

Keeping TIAs Current

The legal landscape in destination countries changes. New surveillance legislation, court rulings, or government practices can alter the risk profile of a transfer. Organizations must have a process for monitoring relevant legal developments and updating their TIAs accordingly. The EDPB's June 2025 Guidelines 02/2024 on Article 48 GDPR added guidance on how organizations should respond when third-country government authorities demand access to data held by the importer, a TIA-relevant risk factor that should now be assessed explicitly.

Sub-Processor Management

Modules 2 and 3 require managing sub-processor relationships carefully. When using general authorization (rather than specific authorization for each sub-processor), the processor must inform the controller of any intended changes to sub-processors, giving the controller the opportunity to object.

Enforceability Concerns

SCCs are contractual in nature. If a data importer in a country with weak rule of law breaches the clauses, enforcement may be difficult in practice. Organizations should factor the importer's legal system and the practical enforceability of contractual obligations into their TIA.

Transfers to GDPR-Subject Importers

Organizations that need to transfer personal data to importers already directly subject to the GDPR under Article 3(2) face a structural gap in the current SCC framework. The 2021 SCCs are not designed for this scenario. Until the Commission formally adopts new clauses for this situation, organizations should consider BCRs (within corporate groups), supervisory authority-approved ad hoc clauses under Article 46(3)(a), or documented reliance on Article 49 derogations where applicable. This is not a minor risk: the Dutch DPA's fine against Uber involved precisely this type of transfer without a recognized mechanism.

Recent Developments (2024 to 2026)

Several significant developments have occurred since the 2021 SCCs took full effect.

Meta enforcement (May 2023): The Irish DPA issued a 1.2 billion euro fine against Meta following EDPB Binding Decision 1/2023. The EDPB found that Meta's SCC-based transfers of Facebook user data to the US lacked supplementary measures sufficient to compensate for the inadequate protection provided by US surveillance law. Meta was ordered to bring its transfers into compliance.

Uber enforcement (2024): The Dutch DPA imposed a 290 million euro fine on Uber for transferring drivers' personal data to the US without a valid transfer mechanism during a period when no recognized mechanism was in place.

DPF legal challenge (2025): The EU General Court dismissed the Latombe challenge to the DPF on September 3, 2025. Latombe filed a CJEU appeal on October 31, 2025. The appeal is pending. Trump v. Slaughter, with potential implications for the US privacy framework underpinning the DPF, was scheduled for a ruling by mid-2026.

EDPB Article 48 guidelines (June 2025): The EDPB adopted final Guidelines 02/2024 on Article 48 GDPR on June 5, 2025. These clarify that organizations receiving demands from third-country government authorities to transfer EU personal data must assess each request individually and cannot treat such requests as a routine compliance obligation.

UK Data (Use and Access) Act 2025: Royal Assent on June 19, 2025, changed the UK transfer standard to the "data protection test" (not materially lower than UK GDPR). The ICO published updated international transfers guidance on January 15, 2026. IDTA and Addendum updates are expected during 2026.

UK adequacy renewal (December 2025): The European Commission renewed its adequacy decisions for the UK on December 19, 2025, valid until December 27, 2031.

Article 3(2) SCCs (pending): The Commission's planned new SCCs for GDPR-subject importers had not been formally adopted as of May 2026. Organizations facing this scenario should monitor the Commission's SCCs page for updates.

This is general legal information, not legal advice. Organizations implementing SCCs or other cross-border transfer mechanisms should consult an attorney licensed in their jurisdiction for advice specific to their situation. This article reflects statutes and guidance verified as of May 19, 2026.