Guide to Standard Contractual Clauses for International Data Transfers
Everything you need to know about using Standard Contractual Clauses (SCCs) to legally transfer personal data outside the EU.
What Are Standard Contractual Clauses?
Standard Contractual Clauses (SCCs) are pre-approved contractual terms issued by the European Commission that provide legal safeguards for transferring personal data from the EU/EEA to countries that lack an adequacy decision. They are the most widely used mechanism for international data transfers under GDPR.
The current SCCs, adopted in June 2021, replaced the older versions and introduced a modular structure that accommodates different transfer scenarios.
When Do You Need SCCs?
You need SCCs (or an alternative transfer mechanism) whenever personal data is transferred from the EU/EEA to a country that the European Commission has not recognized as providing adequate data protection.
Countries With Adequacy Decisions
As of early 2026, adequacy decisions cover Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (under the EU-US Data Privacy Framework for certified organizations), and Uruguay.
For transfers to all other countries, you need SCCs, Binding Corporate Rules, or another approved mechanism.
The Four SCC Modules
The 2021 SCCs use a modular approach. You select the module that matches your transfer scenario.
| Module | Transfer Scenario | Example |
|---|---|---|
| Module 1 | Controller to Controller | EU company shares customer data with a US partner |
| Module 2 | Controller to Processor | EU company engages an Indian IT services provider |
| Module 3 | Processor to Processor | EU-based processor sub-contracts to a Philippines-based sub-processor |
| Module 4 | Processor to Controller | Non-EU processor returns data to an EU controller |
Most organizations will use Module 2 (controller to processor) most frequently, as it covers the common scenario of engaging cloud service providers and outsourced service providers in non-adequate countries.
How to Implement SCCs: Step by Step
Step 1: Determine Whether SCCs Are Needed
Map your data transfers to identify which ones go to non-adequate countries. For each transfer, determine:
- The roles of the parties (controller or processor)
- The categories of personal data transferred
- The purpose and duration of the transfer
Step 2: Conduct a Transfer Impact Assessment
Since the Schrems II decision, simply signing SCCs is not enough. You must assess whether the legal framework in the receiving country allows the data importer to comply with the SCCs in practice.
Your Transfer Impact Assessment (TIA) should evaluate:
- The laws and practices of the destination country regarding government access to data
- The specific circumstances of the transfer (type of data, industry, volume)
- Any supplementary measures that could strengthen protection
- The practical experience of the data importer with government access requests
Step 3: Select the Appropriate Module
Choose the module that matches your transfer scenario. You can combine multiple modules in a single agreement if you have different types of transfers with the same partner.
Step 4: Complete the Annexes
The SCCs require you to fill in several annexes with specific information:
- Annex I: Details of the transfer (parties, description of transfer, competent supervisory authority)
- Annex II: Technical and organizational security measures implemented by the data importer
- Annex III: List of sub-processors (for Module 2 and Module 3)
These annexes are not optional boilerplate. They must accurately describe your specific transfer arrangements.
Step 5: Implement Supplementary Measures If Needed
If your TIA reveals that the SCCs alone do not provide sufficient protection, implement supplementary measures.
Types of Supplementary Measures
Technical measures:
- End-to-end encryption where the importer does not hold the decryption keys
- Pseudonymization before transfer
- Split processing across jurisdictions so no single entity has the full dataset
Organizational measures:
- Internal policies limiting government access request responses
- Transparency reporting on government requests received
- Regular audits of the data importer's practices
Contractual measures:
- Commitments to challenge disproportionate government access requests
- Obligations to notify the data exporter of access requests (where legally permitted)
- Enhanced audit rights
Step 6: Execute and File the SCCs
Both parties must sign the SCCs. Store executed copies securely and make them available for supervisory authority review upon request.
Step 7: Monitor and Review
SCCs are not a set-and-forget solution. You must:
- Reassess the legal landscape in the destination country if circumstances change
- Update annexes when processing activities change
- Review supplementary measures periodically for continued effectiveness
- Respond to any changes in laws or enforcement practices
Common SCC Pitfalls
- Using the old SCCs: The previous versions expired in December 2022. Any transfers still relying on old SCCs are non-compliant.
- Skipping the Transfer Impact Assessment: Signing SCCs without assessing whether they can be enforced in practice violates the Schrems II requirements.
- Generic Annex II: Vague descriptions of security measures undermine the purpose of the SCCs. Be specific about encryption standards, access controls, and incident response capabilities.
- Ignoring sub-processor chains: If your processor uses sub-processors in non-adequate countries, those onward transfers also need SCCs.
- No ongoing monitoring: Laws change. A TIA conducted two years ago may no longer reflect current conditions.
SCCs vs. Other Transfer Mechanisms
| Mechanism | Best For | Complexity |
|---|---|---|
| SCCs | Individual transfer relationships | Moderate |
| Binding Corporate Rules | Intra-group transfers within multinationals | High |
| Adequacy Decisions | Transfers to recognized countries | Low |
| Derogations (Article 49) | Occasional, non-repetitive transfers | Low (but limited scope) |
For most organizations, SCCs remain the default choice due to their flexibility and relatively straightforward implementation compared to Binding Corporate Rules.
Reducing Your SCC Burden
The simplest way to reduce the complexity of international data transfer compliance is to minimize cross-border transfers in the first place. By hosting data within the EU/EEA, you eliminate the need for SCCs for that data entirely.
Solutions like GlobalDataShield, which offer region-specific document hosting with enforceable data residency controls, allow organizations to keep personal data within jurisdictional boundaries by design. This approach does not eliminate the need for SCCs for all transfers, but it can significantly reduce the number of transfers that require them -- and the associated compliance overhead.
Ready to Solve Data Residency?
Get started with GlobalDataShield - compliant document hosting, ready when you are.