Modern business operations rely on data transfers; think analytics platforms, cloud services, and advertising partners. But every time personal data leaves the European Union (EU) or the European Economic Area (EEA), your business takes on legal responsibility.
These transfers aren’t automatically compliant with the General Data Protection Regulation (GDPR). If you send personal data abroad without the right safeguards, you expose your organization to significant fines, enforcement action, and reputational damage, not to mention loss of customer trust.
Standard Contractual Clauses (SCCs) can make these transfers GDPR-compliant. SCCs provide a legally approved framework to protect personal data in alignment with EU standards, even when it is processed in countries with their own data privacy laws.
This guide breaks down everything you need to know about SCCs, from what they are to when they’re required. You’ll also learn the practical steps necessary to implement SCCs correctly.
At a glance
- Standard Contractual Clauses (SCCs) are required by the GDPR when transferring personal data to most countries outside of the EU/EEA.
- They are required for any data transfer to a recipient without an adequacy decision, including places with strong local privacy laws, like Brazil.
- SCCs require the non-EU recipient to employ GDPR-level protections for security, purpose limits, and rights handling.
- Without SCCs or another valid safeguard, cross-border transfers are unlawful under the GDPR and can trigger major enforcement action.
- Effective implementation means mapping transfers, picking the right SCC module, completing a Transfer Impact Assessment (TIA), and adding supplementary measures where needed.
What are standard contractual clauses (SCCs)?
Standard Contractual Clauses are legally recognized contractual terms that permit organizations to transfer data from the EU or EEA to countries that don’t have an adequacy decision from the European Commission.
- Art. 45 GDPR explains adequacy decisions by stating that “a transfer of personal data to a third country or an international organization may take place” if the European Commission has decided that the receiving country ensures an adequate level of data protection.
- Art. 46 GDPR states that SCCs are a valid safeguard when personal data is sent to a third country or international organization without an adequacy decision.
SCCs are practical tools that require data recipients outside the EU to uphold GDPR-level protections. They help ensure that personal data is handled responsibly, even in jurisdictions with different legal frameworks.
SCCs impose certain conditions on the data recipient and legally enforceable safeguards that align with GDPR requirements. These include:
Security obligations: To help ensure data is stored, processed, and transmitted securely to prevent breaches.
Limits on data use: To restrict the purposes for which data can be processed, which helps to ensure that it is only used as agreed upon in the contract.
Protection of individuals’ rights: To protect data subject requests, such as access, correction, or deletion, even when their data is stored outside of the EU.
Accountability and oversight: To enable data exporters to monitor compliance and, if necessary, take corrective action.
When and where do SCCs apply?
Standard contractual clauses apply whenever personal data is transferred from the EU or EEA to a country that does not have an adequacy decision from the European Commission.
As of January 2026, there are only 14 countries and dependencies with adequacy decisions: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, the United Kingdom, and South Korea.
For now, there is also an adequacy decision with the United States for the EU-U.S. Data Privacy Framework, which covers U.S. companies that receive proper certification.
That means SCCs are required when transferring data from the EU/EEA to any country not listed above, including Australia, China, and India, to name a few.
They are required regardless of whether the receiving country has its own robust data privacy law. For example, SCCs are required for data transfers to Brazil, even though its General Data Protection Law (LGPD) was influenced by the GDPR.
Consider this hypothetical example: A marketing team in Germany acts as the data exporter when it shares customer data with an email marketing agency located in Singapore, which acts as the data importer. This transfer would only be lawful if an SCC is in place.
What changed in 2021?
In June 2021, the European Commission introduced an overhaul of SCCs to better align them with GDPR requirements and the realities of modern data transfer scenarios.
These new Standard Contractual Clauses intend to provide clearer guidance and stronger protections as data is moved between organizations and across borders. They serve two primary purposes:
To clarify the relationship between controllers and processors
These clauses explicitly reflect controller vs processor obligations such as accountability, transparency, and the responsibilities of each party in the data processing chain.
As a tool for data transfers
Designed to ensure lawful transfers of personal data outside of the EU/EEA under Art. 46 GDPR, these clauses clarify the safeguards and obligations required for data transfers to countries without an adequacy decision.
Why do SCCs matter under the GDPR?
Standard Contractual Clauses exist to solve one of the fundamental challenges of GDPR compliance: personal data must be protected according to EU standards, even though modern businesses operate globally.
International data transfers are tightly regulated, and even unintentional mistakes or oversights can trigger enforcement actions. Without a valid SCC, international data transfers are considered unlawful, regardless of intent or business necessity.
This requirement applies to all transfers, whether you’re sharing customer information with marketing and analytics platforms or storing data via cloud services. Failing to comply can result in penalties, enforcement actions, and operational disruptions.
For example, the Dutch DPA fined Uber EUR 290 million for failing to use SCCs or implement appropriate safeguards when transferring the information of drivers from Europe to Uber’s headquarters in the US.
Beyond legal and financial risk, SCCs play a key role in maintaining business integrity and trust:
- Customer trust: SCCs demonstrate that personal data is protected according to EU standards, even across borders.
- Vendor and partner relationships: They provide clarity and accountability for international collaborations.
- Auditability and transparency: Implementing SCCs creates a documented, defensible framework for regulatory audits and reviews.
Key takeaway: Properly implemented SCCs signal that an organization takes data protection laws seriously, reducing regulatory risk and reinforcing customers’ and partners’ confidence.
How should businesses create and implement SCCs? 4 practical tips
When an SCC is required, it needs to be implemented carefully. From mapping cross-border data flows to documenting safeguards, these tips break down how to implement SCCs in a way that supports meeting GDPR requirements.
Step 1: Map international data transfers
Without a clear understanding of your international data flows, it is impossible to determine where SCCs are required. The first step toward implementing SCCs is gaining complete visibility into how the personal data your business handles moves across borders.
When mapping international data transfers, consider the following:
Types of personal data transferred: Identify sensitive or high-risk categories, such as customer identifiers, financial data, or health information.
Destination countries: Document all countries outside the EU/EEA that receive personal data, including countries where cloud providers or sub-processors are located.
Data recipients: List all vendors, sub-processors, and third-party partners that process data or have access to it.
Methods of transfer: Consider direct data sharing, API connections, remote access, cloud-based processing, and any other transfer mechanisms.
Frequency and volume: Note how often data is transferred and in what volumes. This can help you prioritize compliance efforts.
Step 2: Determine the correct SCC model
After mapping international data transfers, the next critical step is selecting the correct SCC model. Choosing the right model helps ensure that contractual obligations align with the actual roles of each party, which helps reduce legal and operational risk.
Your SCCs should be structured to match the role each organization plays in processing personal data, including both the data exporter and importer. Identify which of the following models fits your situation:
Controller to Controller (C2C): Both parties involved determine the purposes and means of processing independently.
Controller to Processor (C2P): One party controls the data while the other processes it on their behalf.
Processor to Processor (P2P): Data is passed between processors, typically as part of subcontracting.
Processor to Controller (P2C): Less common, this dynamic occurs when a processor sends data back to a data controller under specific obligations.
Step 3: Conduct a Transfer Impact Assessment (TIA)
Once you have selected the correct SCC model, you must evaluate whether the clauses can be effectively implemented in practice. This is done through a Transfer Impact Assessment (TIA).
A TIA examines the legal, regulatory, and operational environment in the country receiving the personal data to determine whether additional safeguards are needed.Thishelps you understand the real-world risks associated with transferring personal data to a third country.
Key focus areas include:
Local laws and regulations: Assess whether local or industry-specific regulatory requirements may conflict with GDPR protections.
Government access risks: Evaluate the likelihood that public authorities could access data in ways that compromise the privacy rights of data subjects.
Data sensitivity: Consider the type of personal data being transferred, particularly sensitive categories like ethnicity or health data.
Operational practices: Understand how the data will be processed, stored, and secured by the importer.
Step 4: Implement supplementary measures if necessary
After completing a TIA, you may find that SCCs alone are not sufficient to guarantee GDPR-level protection for personal data.
Supplementary measures may be necessary to address risks and keep data as secure as EU standards require. These measures are particularly important when transferring sensitive data or when local laws could conflict with GDPR requirements.
Supplemental measures can include:
Technical measures like encryption, pseudonymisation, secure transfer protocols, and access monitoring.
Contractual measures like additional clauses in vendor agreements that clearly outline responsibilities and obligations.
Organizational measures like role-based access controls, staff training, and internal governance policies.
Turn SCC compliance into a competitive advantage
SCCs are important data protection safeguards that help you maintain GDPR compliance while you navigate complex cross-border transfers. At the same time, they can help strengthen customer trust and support smoother vendor relationships.
When integrated into a broader privacy compliance strategy, SCCs become a tool for operational efficiency and transparency. A holistic approach to data protection enables you to demonstrate your commitment to protecting personal data.Usercentrics supports this approach by offering solutions that help you comply with the GDPR and other data privacy laws. Our platform simplifies consent management, increases transparency around your data collection practices, helps prepare your company for audits, and embeds privacy safeguards into everyday operations.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
