Standard Contractual Clauses (SCCs)

Back to Contract Clauses Central

TL;DR: Standard Contractual Clauses (SCCs), also called EU SCCs or model clauses, are pre-approved contract templates published by the European Commission that legalize transfers of personal data from the EEA to countries without an adequacy decision. The current EU SCCs were adopted by Commission Implementing Decision 2021/914 on 4 June 2021 and replaced the legacy 2001/2004/2010 clauses. They are modular, covering four transfer scenarios, and must be used together with a transfer impact assessment following the Court of Justice's Schrems II decision (Case C-311/18) which struck down the EU-U.S. Privacy Shield in July 2020.

What Are Standard Contractual Clauses?

Standard Contractual Clauses are a Chapter V transfer mechanism under GDPR Article 46(2)(c) that allows personal data to flow from the EEA to third countries whose legal systems do not provide "essentially equivalent" protection. By incorporating the SCCs into a contract between a data exporter (in the EEA) and a data importer (outside the EEA), the parties bind themselves to a set of data protection obligations that approximate GDPR standards, thereby creating the "appropriate safeguards" that Article 46 requires.

The 2021 SCCs are structured in a modular way. Section I contains general clauses applicable to all modules. Modules One through Four cover the four possible transfer scenarios: Module One (controller to controller), Module Two (controller to processor), Module Three (processor to processor), and Module Four (processor to controller). Parties select the applicable Module and complete the relevant Annexes (I.A, I.B, and II on TOMs; Annex III on subprocessors where Modules Two or Three apply).

Three features distinguish the 2021 SCCs from the legacy clauses. First, the new SCCs include a docking clause (Clause 7) that allows additional parties to join an existing SCC framework. Second, Clause 14 requires the parties to conduct and document a transfer impact assessment (TIA) analyzing whether the importer's local law permits compliance with the SCCs. Third, Clause 15 obligates the importer to challenge government access requests and notify the exporter when the importer receives such requests. These changes respond directly to the Schrems II judgment, which held that SCCs alone are insufficient when importer country law enables disproportionate surveillance.

In the United Kingdom, the Information Commissioner's Office issued the UK International Data Transfer Agreement (IDTA) and a separate International Data Transfer Addendum to the EU SCCs in March 2022, effective 21 March 2022, as the UK equivalent transfer mechanism. Swiss transfers rely on the EU SCCs with a Swiss-specific addendum published by the FDPIC.

Why It Matters

  • The Default U.S. Transfer Vehicle: Most EEA-to-U.S. data transfers rely on SCCs. Although the EU-U.S. Data Privacy Framework (DPF) came into force in July 2023 as an adequacy mechanism, adoption remains partial and the DPF faces potential challenge. SCCs remain the fallback that most multinational organizations maintain.
  • Scale of Application: The International Association of Privacy Professionals estimates that SCCs underpin more than 90 percent of cross-border transfers of personal data from the EEA, touching trillions of euros of commerce annually.
  • Legacy SCC Phase-Out Is Complete: Commission Decision 2021/914 required all legacy SCC contracts (using the 2001, 2004, or 2010 versions) to be replaced by 27 December 2022. Any contract still referencing the old SCCs is now an unlawful transfer in the eyes of EU regulators, exposing both parties to enforcement.
  • Transfer Impact Assessment Obligation: The Schrems II decision requires exporters to verify, case by case, that the importer's legal environment permits compliance with the SCCs. Failure to document a TIA has been cited by regulators (including the Irish DPC in the Meta decision) as an independent basis for finding violations.
  • Direct Enforceability by Data Subjects: Unlike most contract terms, the SCCs create a third-party beneficiary right for data subjects (Clause 3). Individuals can enforce SCC terms directly against the importer or exporter, including under EU member state law chosen in Clause 17.
  • M&A and Due Diligence Trigger: Buyers of companies that transfer EEA personal data review whether SCCs are in place, current, properly completed, and paired with a documented TIA. Gaps here produce specific reps and warranties, purchase price adjustments, and escrow demands.

Key Elements of a Well-Drafted SCC Incorporation

  1. Correct Module Selection: Identify the controller/processor status of each party and select the matching Module. Getting this wrong is the most common documentation defect. Module One: controller (EEA) to controller (third country). Module Two: controller (EEA) to processor. Module Three: processor to processor. Module Four: processor (EEA) to controller (third country).
  2. Annex I.A (List of Parties): Identify each data exporter and data importer with legal entity name, address, contact person, activities relevant to transferred data, and role (controller or processor).
  3. Annex I.B (Description of Transfer): Describe the categories of data subjects, categories of personal data, special categories (if any), frequency of transfer, nature of processing, purpose, retention period, and subprocessor arrangements. Detail here matters because regulators read it as the binding processing scope.
  4. Annex II (Technical and Organizational Measures): List specific TOMs - encryption standards, access controls, physical security, logging, pseudonymization, resilience measures, incident response, personnel training. The EDPB's 2021 Recommendations 02/2020 on supplementary measures provide the authoritative reference.
  5. Annex III (List of Subprocessors) for Modules Two and Three: Identify each subprocessor with name, address, contact details, and the processing activities they perform. Maintain this annex as a living document updated with each change.
  6. Docking Clause (Clause 7): Specify whether additional parties may accede to the SCCs. For enterprise SaaS with multiple affiliates, the docking clause is operationally valuable.
  7. Subprocessor Authorization (Clause 9): In Modules Two and Three, choose Option 1 (prior specific authorization) or Option 2 (general authorization with notice). Specify the notice period (14 to 30 days is common).
  8. Onward Transfers (Clause 8.7): Address transfers to further non-EEA countries. The importer must take supplementary measures to ensure ongoing protection.
  9. Governing Law (Clause 17): Select the law of an EU Member State that provides third-party beneficiary rights to data subjects. Irish, German, French, and Dutch law are common choices.
  10. Jurisdiction (Clause 18): Select the courts of an EU Member State. Data subjects retain the right to sue in their country of habitual residence regardless.

Market Position & Benchmarks

Where Does Your Clause Fall?

  • Importer-Favorable: Clause 9 Option 2 with 30-day notice for subprocessor changes; minimal TOMs annex referencing only the vendor's general security documentation; governing law set to Irish law with no additional member state concessions; TIA performed once and not updated absent changes; no additional supplementary measures layered on top of the SCCs.
  • Market Standard: Clause 9 Option 2 with 14-day advance notice; detailed TOMs annex tied to SOC 2 or ISO 27001 controls; governing law of a member state that matches exporter's primary establishment; annual TIA review; supplementary measures added for high-risk importer jurisdictions (encryption with exporter-held keys, pseudonymization, access logging available on exporter request).
  • Exporter-Favorable: Clause 9 Option 1 (prior specific authorization) for all subprocessors; detailed TOMs with binding specific controls and certifications maintained over the life of the contract; governing law of the exporter's Member State; semi-annual TIA refresh with documented analysis of FISA Section 702, EO 12333, CLOUD Act, and other importer-country surveillance frameworks; exporter right to suspend transfers immediately upon material change in importer country law.

Market Data

  • The European Commission's 2023 implementation review of the 2021 SCCs reported that SCC usage increased 34 percent between 2022 and 2023, with an estimated 1.8 million unique SCC deployments across EEA exporter organizations.
  • The Irish Data Protection Commission's 2023 Meta Platforms decision imposed a 1.2 billion euro fine in part for deficient SCC-based transfers to the United States, representing the largest GDPR fine to date.
  • The IAPP 2024 Cross-Border Data Transfer Survey found that 67 percent of multinational organizations rely on SCCs as their primary Chapter V transfer mechanism, compared to 38 percent using Binding Corporate Rules and 22 percent using the EU-U.S. Data Privacy Framework.
  • According to the EDPB's 2023 coordinated enforcement action on SCC implementation, 41 percent of audited organizations had incomplete or stale Annex I/II/III, and 28 percent had no documented transfer impact assessment.
  • The UK IDTA and Addendum deadline to replace legacy SCCs in UK transfers was 21 March 2024. ICO guidance reported that 22 percent of UK organizations missed the deadline, with many relying on the IDTA and Addendum dual-track approach.
  • A 2024 Gibson Dunn survey of Fortune 500 companies found that 89 percent maintained an SCC template library, 76 percent had a documented TIA methodology, and 43 percent had suspended at least one third-country transfer based on TIA findings since Schrems II.

Sample Language by Position

Importer-Favorable: "The parties incorporate the Standard Contractual Clauses approved by the European Commission in Implementing Decision 2021/914 of 4 June 2021 (Module Two). For Clause 9, Option 2 applies with thirty (30) days' notice. For Clause 17, Irish law governs. For Clause 18, the courts of Ireland have jurisdiction. Annex II (Technical and Organizational Measures) is satisfied by Importer's SOC 2 Type II report, available on request."
Market Standard: "The parties hereby enter into the Standard Contractual Clauses set out in Implementing Decision 2021/914, with Module Two (Controller to Processor) applying between Exporter and Importer. In Clause 7, the docking clause applies. In Clause 9, Option 2 applies with fourteen (14) days' advance notice of subprocessor changes. In Clause 11(a), the optional data subject complaint to an independent dispute resolution body does not apply. Clause 17 specifies the governing law of Ireland. In Clause 18(b), the courts of Ireland are chosen. Annex I, II, and III are attached. Exporter and Importer have completed a transfer impact assessment dated [date] and will review it annually."
Exporter-Favorable: "The parties incorporate the 2021 EU Standard Contractual Clauses (Module Two). In Clause 9, Option 1 (prior specific authorization) applies. In Clause 17, Dutch law governs. In Clause 18(b), the courts of Amsterdam have jurisdiction. Importer shall implement supplementary measures including: (a) encryption of Personal Data at rest and in transit using AES-256 with keys controlled exclusively by Exporter; (b) pseudonymization of all directly identifying fields; (c) a documented process to challenge U.S. government access requests under FISA 702 and EO 12333; and (d) detailed transparency reporting on government requests affecting Exporter's data. Exporter may suspend all transfers upon material adverse change in Importer's country of operation."

Example Clause Language

An SCC incorporation clause in a SaaS DPA between an EEA controller and a U.S. processor:

"To the extent that Processor processes Personal Data originating in the European Economic Area in a country without a Commission adequacy decision, the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (Module Two) are hereby incorporated into this DPA by reference. The Annexes are set out in Schedule 4 to this DPA. Where Controller is established in the United Kingdom, the parties supplement the EU SCCs with the UK International Data Transfer Addendum approved by the ICO and published 21 March 2022, as set out in Schedule 5."

A transfer impact assessment acknowledgment that the parties often include to document Schrems II compliance:

"The parties acknowledge that prior to entering into this Agreement they have conducted a transfer impact assessment in respect of the transfers governed by the Standard Contractual Clauses. The assessment is documented in Schedule 6 and considered, among other factors: (i) the laws and practices of the Importer's country relevant to government access to Personal Data; (ii) the supplementary measures identified in Annex II; and (iii) the data subjects and categories of data transferred. The parties will review and update the assessment at least annually and upon any material change in applicable law or in the nature of the transfers."

A subprocessor onward transfer clause aligning with Clause 9 Option 2 of the SCCs:

"Processor has Controller's general authorization to engage subprocessors listed in Annex III. Processor shall inform Controller of any intended changes in writing at least fourteen (14) days before the new or replacement subprocessor begins processing. Controller may object within ten (10) days on reasonable grounds related to data protection. If Controller objects, the parties shall work in good faith to resolve the concern, failing which Controller may terminate the affected services without penalty. Processor shall ensure each subprocessor signs clauses providing data protection obligations equivalent to those in these SCCs."

Common Contract Types

  • SaaS and Cloud Services Agreements: SCCs are standard appendices to DPAs for any cloud vendor with non-EEA processing. Microsoft, Google, AWS, Salesforce, Workday, and similar providers publish pre-completed SCCs for customer signature.
  • Managed Services and Outsourcing Contracts: IT outsourcing, BPO, customer service, and payroll processing contracts with offshore delivery (India, Philippines, Mexico) rely on SCCs as the transfer vehicle.
  • Intra-Group Data Transfer Agreements: Multinational enterprises use SCCs to govern flows between EEA affiliates and non-EEA entities. Many have transitioned to Binding Corporate Rules, but BCR approval is lengthy and SCCs remain a gap filler.
  • Research and Clinical Trial Agreements: Life sciences and pharmaceutical sponsors transferring clinical data from EEA sites to U.S. or other third-country sponsors use SCCs with heightened TOMs reflecting health data sensitivity.
  • Marketing Technology and Ad Tech Contracts: The cookie/adtech ecosystem relies heavily on SCCs, though post-Schrems II many EEA supervisory authorities have questioned whether SCCs alone are sufficient for web analytics transfers.
  • M&A and Due Diligence Data Rooms: When the buyer or its advisors are outside the EEA, data room access agreements include SCCs as a condition of access to the target's personal data.
  • Employee HR Systems: Global HRIS platforms, performance management tools, and payroll systems with non-EEA processing require SCCs, with special attention to special category data like health or union membership.
  • Financial Services and Banking Vendors: Core banking, anti-money laundering, fraud detection, and KYC vendors operating globally need SCCs alongside specific financial regulator requirements.

Negotiation Playbook

Key Drafting Notes

  • Match Module to Reality, Not Convenience: The most common error is defaulting to Module Two (controller to processor) when the importer is actually a joint controller or independent controller. Getting the Module wrong voids the transfer safeguard and exposes both parties to regulatory findings.
  • Write Annexes As If They Were Binding - Because They Are: Annex I.B (description of transfer) and Annex II (TOMs) are not marketing text. Regulators read them as the contractual scope, and variance from documented reality is a finding. Audit the annexes against actual data flows before signing.
  • Document the Transfer Impact Assessment Separately: The TIA is not part of the SCCs themselves but is required by Clause 14. Use a standalone memo referencing authoritative sources (EDPB Recommendations 01/2020 and 02/2020, CoE 108 resolutions, national surveillance law analyses). Refresh annually.
  • Layer Supplementary Measures for High-Risk Jurisdictions: For transfers to the U.S., China, Russia, or other surveillance-active jurisdictions, SCCs alone are increasingly viewed as insufficient. Add technical measures (encryption with exporter-held keys, pseudonymization), contractual measures (challenge obligations, transparency reporting), and organizational measures (access limitations, data minimization).
  • Coordinate UK IDTA Strategy: For transfers touching both EEA and UK, most organizations use the EU SCCs with the UK Addendum rather than the standalone IDTA. The Addendum approach is easier to maintain and aligns EU/UK obligations in one document.
  • Build a Suspension Workflow: SCCs require parties to suspend transfers when they determine protection is no longer adequate. Pre-agree the workflow: who decides, what triggers review, what interim measures apply. Silent suspension clauses tend to paralyze the parties when triggered.

Common Pitfalls

  • Incomplete Annexes: Blank or placeholder Annexes I.B, II, or III make the SCCs functionally defective. Regulators have issued enforcement decisions solely on the basis of missing annex content.
  • Wrong Module or No Module Identified: Entering into the SCCs without specifying which Module applies (or selecting multiple incompatible Modules) is a common drafting error that invalidates the transfer framework.
  • Stale SCCs Referencing 2001/2004/2010 Clauses: Any contract signed before June 2021 that was not refreshed by 27 December 2022 is using an invalid transfer mechanism. Periodic contract audits must include SCC version verification.
  • No Transfer Impact Assessment: Post-Schrems II, relying on the SCCs without a documented TIA is not a lawful transfer. The TIA must be specific to each transfer scenario and updated on material change.
  • Ignoring Onward Transfers: Clause 8.7 governs transfers from the importer to further non-EEA recipients. Failing to address onward transfers leaves a gap that subprocessors and successor vendors can fall into unnoticed.
  • Mismatched Governing Law and Jurisdiction: Choosing Irish law in Clause 17 but Delaware courts in Clause 18 breaks the third-party beneficiary enforcement scheme. Stay within EU Member State options.

Jurisdiction Notes

  • EU (Implementing Decision 2021/914): The 2021 SCCs are directly applicable across all EEA Member States. The European Commission retains authority to adopt new or amended SCCs. The European Data Protection Board coordinates supervisory authority enforcement and has issued binding guidelines on SCC use (EDPB 2021 Guidelines 05/2021).
  • U.K. (IDTA and Addendum): The ICO approved the International Data Transfer Agreement and the International Data Transfer Addendum to the EU SCCs on 21 March 2022, effective that date. The Addendum allows parties to continue using the EU SCCs as their baseline and add UK-specific modifications. Legacy transfers had until 21 March 2024 to switch.
  • Switzerland (Revised FADP): Swiss transfers to non-adequate countries rely on the EU SCCs supplemented by a Swiss addendum published by the FDPIC. The revised Swiss FADP, effective September 2023, aligns closely with GDPR transfer requirements.
  • U.S. (Adequacy via EU-U.S. DPF): The EU-U.S. Data Privacy Framework, adopted by the European Commission on 10 July 2023, provides an adequacy basis for transfers to self-certified U.S. organizations. However, most multinationals continue to maintain SCCs as a backup in case of a successful legal challenge.
  • China (PIPL): China's Personal Information Protection Law requires its own standard contract for outbound transfers, approved by the Cyberspace Administration of China (CAC Standard Contract, effective 1 June 2023). EU SCCs do not substitute for the Chinese standard contract for outbound flows from China.
  • Other Non-EEA Jurisdictions: Brazil, Argentina, South Korea, Japan, and other jurisdictions have their own cross-border transfer regimes. Multinational data flow mapping must account for each jurisdiction's transfer mechanism separately; SCCs address only EEA, UK, and Swiss outbound transfers.

Related Clauses

  • Data Processing Agreement (DPA) - The parent contract under GDPR Article 28; SCCs typically live as Schedule 4 or 5 within the DPA.
  • Data Protection Clause - General data protection obligations in the master agreement that incorporate DPA and SCCs by reference.
  • Governing Law - Must align with Clause 17 of the SCCs; SCC governing law prevails for SCC-related disputes.
  • Confidentiality Clause - Overlaps with SCC obligations; draft precedence rules for data subject rights and regulatory reporting.
  • Indemnification - SCC liability is joint and several to data subjects; commercial indemnities allocate risk between the parties contractually.
  • Audit Clause - SCC audit rights (Clause 8.9) often incorporated into broader audit provisions in the master agreement.
  • Notice Clause - SCC Clause 15 notification obligations (government access requests) should align with notice mechanics elsewhere in the agreement.

This glossary entry is provided for informational and educational purposes only. It does not constitute legal advice, and no attorney-client relationship is formed by reading this content. Consult qualified legal counsel for advice on specific contract matters.

Related Clauses:
Audit Clause
Confidentiality
Data Processing Agreement (DPA)
Data Protection Clause
Governing Law
Indemnification
Notice Clause

ContractKen help you review and draft contracts, inside Microsoft Word - automatically flagging clauses like this one.

Book Demo
Watch it in action
Back to Contract Clauses Central
contractken
Backed by:
upekkha
youtubelindintwitter
©ContractKen 2026. All rights reserved