Standard Contractual Clauses (SCCs)

What are SCCs

Standard Contractual Clauses (SCCs) are pre-approved contractual terms adopted by the European Commission through Implementing Decision 2021/914. They are the most widely used mechanism for legitimising personal data transfers to countries outside the EEA that lack an adequacy decision from the Commission.

The four modules

The 2021 SCCs are organised into four modules reflecting different party relationships:

• Module 1: Controller to controller
• Module 2: Controller to processor (the most common scenario for cloud services)
• Module 3: Processor to processor (sub-processing chains)
• Module 4: Processor to controller (data flowing back to a non-EEA controller)

Each module contains tailored obligations appropriate to the nature of the data flow and the roles of the parties.

Schrems II and Transfer Impact Assessments

The CJEU’s Schrems II ruling (2020) established that SCCs alone may not provide sufficient protection if the destination country’s laws undermine the contractual guarantees — particularly regarding government surveillance. Data exporters must now conduct a Transfer Impact Assessment (TIA) before relying on SCCs, evaluating the legal framework of the importing country and implementing supplementary measures (encryption, pseudonymisation, access restrictions) where necessary.

The EU-US Data Privacy Framework

The EU-US Data Privacy Framework (2023) provides an adequacy mechanism for transfers to US companies that self-certify under the framework, reducing (but not eliminating) the need for SCCs in EU-US data flows. For all other non-adequate countries, SCCs remain the primary transfer mechanism.

Practical implementation

Companies must integrate SCCs into all contracts with non-EEA data processors and recipients, complete documented TIAs, implement technical supplementary measures where required, and periodically review the adequacy of safeguards as legal landscapes evolve.