SCC (Standard Contractual Clauses)

Pre-approved contract templates issued by the European Commission for international data transfers, providing adequate safeguards as required by GDPR Article 46. Following the Schrems II decision invalidating Privacy Shield, SCCs became a primary mechanism for EU-to-third-country transfers. The Commission issued updated SCCs in 2021 addressing the decision's concerns and modernizing clauses for current technologies. The new SCCs are modular, covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-sub-processor. Organizations using SCCs must: conduct Transfer Impact Assessments evaluating whether destination country laws undermine protections, implement supplementary measures if needed (like encryption), complete appropriate SCC modules, and ensure data importers comply with obligations. Simply signing SCCs isn't sufficient—organizations must ensure effective protections considering destination jurisdiction's legal framework. SCCs should be incorporated into Data Processing Agreements and reviewed when laws or processing change.