Standard Contractual Clauses (SCCs)

European Commission-approved contract templates providing adequate safeguards for international personal data transfers from the EU to third countries without adequacy decisions, as authorized by GDPR Article 46(2)(c). The Commission published updated SCCs in June 2021 replacing previous versions to address Schrems II concerns and reflect modern data processing. The new SCCs are modular with four modules covering: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-subprocessor transfers. Organizations using SCCs must: conduct Transfer Impact Assessments evaluating whether destination country laws undermine SCC protections, implement supplementary measures if assessments reveal risks (like encryption, pseudonymization, or data minimization), select appropriate modules for their transfer scenario, complete required annexes describing processing, document the assessment, and ensure data importers honor commitments. Simply signing SCCs is insufficient—effective protection must exist. Organizations should regularly review SCCs when laws change, processing evolves, or new risks emerge.