Standard Contractual Clauses (SCCs)

Standard Contractual Clauses (SCCs) are EU-approved contract clauses that provide a valid basis for transferring personal data to third countries. They are the most widely used mechanism for lawful data transfers outside the EU/EEA.

Back to Dictionary

Table of Contents

    What are Standard Contractual Clauses?

    Standard Contractual Clauses (SCCs) are contract clauses adopted by the European Commission pursuant to GDPR Article 46(2)(c). They constitute a valid transfer basis for sending personal data to countries outside the EU/EEA.

    The current SCCs were adopted in June 2021 and replaced the previous versions. They are modular in design and cover different relationships between sender and recipient.

    SCCs are the most widely used mechanism because they are available to all organisations without prior approval from the Data Protection Agency. They are an alternative to adequacy decisions and binding corporate rules.

    The four modules

    The current SCCs are built as a modular system with four modules:

    • Module 1: C2C (Controller to Controller). Data controller in the EU transfers to data controller in a third country.
    • Module 2: C2P (Controller to Processor). Data controller in the EU transfers to data processor in a third country. The most commonly used module.
    • Module 3: P2P (Processor to Processor). Data processor in the EU transfers to sub-processor in a third country.
    • Module 4: P2C (Processor to Controller). Data processor in the EU transfers to data controller in a third country.

    You select the module that matches your specific relationship. SCCs must be entered into as part of (or as an annex to) your data processing agreement with the supplier.

    Transfer Impact Assessment

    Since the CJEU's Schrems II ruling in 2020, it is a requirement that you carry out a Transfer Impact Assessment (TIA) before transferring data based on SCCs.

    A TIA assesses:

    • The legislation in the recipient country (particularly government access to data)
    • Whether the legislation in practice respects the guarantees provided by the SCCs
    • Whether supplementary measures are needed

    Supplementary measures may include:

    • Technical measures: strong encryption where the key remains in the EU
    • Pseudonymisation where the key is not shared with the recipient
    • Contractual measures: obligation to challenge government access requests
    • Organisational measures: strict access control

    If the TIA shows that protection cannot be ensured, you must cease the transfer.

    SCCs in practice

    Most large cloud providers (Microsoft, Google, AWS, etc.) offer SCCs as part of their standard agreements. However, you must still:

    • Verify that SCCs have actually been entered into (not merely assumed)
    • Verify that the correct module has been applied
    • Carry out your own TIA (you cannot simply rely on the supplier's)
    • Document the SCCs and TIA in your record of processing activities
    • Regularly review whether conditions in the recipient country have changed

    You must not alter the SCC text itself, but you may add supplementary clauses that do not contradict the SCCs or undermine the rights of data subjects.

    Frequently Asked Questions about Standard Contractual Clauses (SCCs)

    What are Standard Contractual Clauses (SCCs)?

    Standard Contractual Clauses (SCCs) are contract clauses adopted by the European Commission that provide a valid basis for transferring personal data to countries outside the EU/EEA. They ensure that the data recipient complies with data protection requirements equivalent to the EU level.

    When must you use SCCs?

    You must use SCCs (or another transfer mechanism) when you transfer personal data to a third country that does not have an adequacy decision from the European Commission. SCCs are the most widely used transfer basis for European organisations.

    Must you carry out a TIA alongside SCCs?

    Yes. Since the Schrems II ruling, it is a requirement that you carry out a Transfer Impact Assessment (TIA) assessing whether the legislation in the recipient country in practice respects the guarantees provided by the SCCs. If the TIA identifies problems, you must implement supplementary measures.

    Can you modify the Standard Contractual Clauses?

    You must not alter the SCC text itself, as this would remove their status as an approved transfer mechanism. You may add supplementary clauses, provided they do not contradict the SCCs or undermine data subjects' rights.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl