Every time your business sends data to a U.S.-based CRM, runs ads through Google, or syncs analytics with a third-party platform, personal data crosses a border. Under the GDPR, that simple, routine action carries a legal obligation.
In practice, however, many marketing teams rely on tools and vendors without fully addressing what makes those transfers lawful. Standard contractual clauses (SCCs) are what often stands between your operations and a compliance gap.
For years, companies relied on the EU-U.S. Privacy Shield framework to keep those transfers lawful. That changed in July 2020, when the Court of Justice of the European Union struck it down in the Schrems II ruling, citing inadequate protections against U.S. government surveillance. Overnight, thousands of businesses found themselves without a valid legal basis for transferring data to the United States.
Standard contractual clauses (SCCs) stepped in as the primary alternative, and they remain the most widely used mechanism. But they’re also often misunderstood, inconsistently implemented, and treated as a one-time checkbox rather than an ongoing compliance obligation.
At a Glance
- Standard contractual clauses (SCCs) are EU-approved contracts that create a legal basis for transferring personal data outside the EU/EEA.
- The European Commission (EC) updated SCCs in June 2021 following the Schrems II ruling, introducing four types of data transfer relationships.
- SCCs apply any time personal data moves to a country without an EU adequacy decision.
- A data Transfer Impact Assessment (TIA) is required alongside SCCs in many transfer scenarios and cannot be skipped.
- The EU-U.S. Data Privacy Framework offers an alternative for certified U.S. organizations, but SCCs remain essential for transfers to most other countries.
- SCCs cover the transfer mechanism, but they don’t replace the need for valid user consent, which must be managed separately.
What are Standard Contractual Clauses (SCCs)?
Standard contractual clauses (SCCs), also known as model clauses or model contracts, are pre-approved contract templates issued by the European Commission. They set out the data protection obligations that must be met when personal data is transferred from the EU or EEA to a country that hasn’t been granted adequacy status.
An adequacy decision means the EC has assessed a country’s data protection laws and determined they offer an equivalent level of protection to the EU’s General Data Protection Regulation (GDPR). Countries like Japan, Switzerland, and Canada (for commercial organizations) hold adequacy status.
The U.S. does not hold a blanket adequacy decision, though the EU-U.S. Data Privacy Framework provides a pathway for certified organizations.
When you sign SCCs with a data recipient, you create a legally binding commitment that personal data will be handled with GDPR-equivalent protections, regardless of where it is processed.
The clauses are standardized by design and cannot be modified, which is what gives them legal force across the EU. By signing them, both parties are bound to specific data protection obligations, regardless of local laws in the destination country.
What Is the UK Equivalent of Standard Contractual Clauses?
Post-Brexit, the United Kingdom operates its own data protection framework under the UK GDPR and the Data Protection Act 2018. The UK doesn’t use EU standard contractual clauses. Instead, the UK Information Commissioner’s Office (ICO) introduced the International Data Transfer Agreement (IDTA) and a UK Addendum to the EU SCCs that makes them compatible with UK law.
If you’re transferring data from the UK to a third country, you need to use the IDTA, not the EU SCCs. For businesses operating across both jurisdictions, this means maintaining separate documentation and potentially signing different agreements with the same vendors.
Who Do EU Standard Contractual Clauses Apply To?
EU standard contractual clauses apply to any organization subject to the GDPR. They are required when personal data is transferred to a recipient in a country outside the EU or EEA with which there is no adequacy decision.
In practice, this requirement includes many common marketing activities. A company based in the EU may use software from a U.S.-based company for email campaigns, customer analytics, advertising, or cloud storage. In these cases, there are almost certainly international data transfers. Those transfers require a valid legal mechanism.
It applies beyond EU borders too. Non-EU companies that collect data from individuals located in the EU/EEA and process it elsewhere must comply with the GDPR. Company size isn’t a factor when it comes to GDPR standard contractual clauses.
When Do You Need SCCs for Data Transfers?
You need standard contractual clauses any time personal data moves from the EU/EEA to a country with which there is no adequacy decision and no other valid transfer mechanism covers it.
The most common triggers for marketing teams:
- Using U.S.-based analytics tools like Google Analytics 4
- Running ads through platforms with servers outside the EU
- Storing customer data in cloud infrastructure in non-adequate countries
- Sharing data with third-party processors or sub-processors outside the EU/EEA
Exemptions exist under Art. 49 GDPR, including explicit user consent for a specific transfer, or necessity for contract performance. But they’re narrow by design. They’re not meant to substitute for SCCs in routine operations.
Old vs. New Standard Contractual Clauses: What Changed?
The original SCCs, issued in 2001 and 2004, were built for a much simpler data environment. They assumed a direct, two-party transfer. That model no longer reflects how data actually moves today, where multiple vendors, sub-processors, and platforms are often involved in a single workflow.
The gap became clear after the Schrems II decision, which forced a rethink of how international transfers are structured.
In response, the European Commission introduced a new set of SCCs in 2021. These took effect on June 27, 2021, with a transition period ending on December 27, 2022. Any agreement that still relies on the older clauses no longer provides a valid legal basis for transferring personal data.
The most important change was structural. Instead of a one-size-fits-all template, the new SCCs use a modular approach to reflect that data doesn’t flow in a straight line.
Today, data moves among tools, vendors, and infrastructure providers. So new contractual obligations need to reflect those realities. If they do not, the agreement may exist on paper but fail under scrutiny.
How SCCs Are Structured
The 2021 SCCs are built around a modular system where each module corresponds to a specific type of relationship among the parties involved in a data transfer. Selecting the correct module ensures that the obligations in the contract align with how data is processed and shared.
The four modules cover controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers. Each one reflects a different role combination, and in practice, most organizations will rely on more than one across their vendor ecosystem.
Module 1: Controller to Controller
Both parties act independently and determine their own purposes for processing. This often appears in data-sharing arrangements or between affiliated companies.
Module 2: Controller to Processor
A controller transfers data to a vendor that processes it on its behalf. This is the most common scenario in operational setups involving tools like CRMs, analytics platforms, or email providers.
Module 3: Processor to Controller
An EU-based processor transfers data back to a non-EU controller. This is less common but can arise in certain service or agency relationships.
Module 4: Processor to Processor
A processor transfers data to a sub-processor outside the EU or EEA. This becomes relevant when vendors rely on additional infrastructure or third-party services in other jurisdictions.
Choosing the wrong module is not simply a minor technical issue. It creates a disconnect between the contract and the data flow, which can undermine the legal basis for the transfer.
What Is a Data Transfer Impact Assessment?
A data transfer impact assessment (TIA) is a way to evaluate whether personal data will remain adequately protected once it leaves the EU. It looks at both the destination country’s legal environment and the specific circumstances of the transfer.
For transfers to the United States, this often includes assessing potential government access under laws such as FISA Section 702. Where risks are identified, organizations may need to implement supplementary measures alongside SCCs. These can include encryption, access controls, or changes to how data is processed.
TIAs are part of broader accountability obligations under Art. 5 GDPR and are explicitly referenced in the 2021 SCCs. Each assessment should reflect the specific vendor and transfer involved, and it should be revisited if the legal or operational context changes.
SCCs and the EU-U.S. Data Privacy Framework
In July 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (DPF). This allows personal data to be transferred to participating organizations in the United States without relying on SCCs, provided those organizations are certified.
For certified U.S. organizations, EU companies can transfer personal data without using SCCs. Certification status can be verified through the official DPF register.
However, two important limitations apply:
- The DPF only covers certified organizations. If a vendor is not listed, standard contractual clauses are still required.
- The framework faces ongoing legal scrutiny. NOYB has signalled its intent to bring a formal “Schrems III” challenge against the EU-US Data Privacy Framework before the CJEU, though no case has yet been filed as of early 2026.
Because of this, many companies continue to put SCCs in place even when relying on the DPF. It acts as a fallback if the framework is invalidated again.
For transfers to countries such as India, Brazil, and across Southeast Asia, the DPF does not apply. In those cases, SCCs remain the primary mechanism for lawful international data transfers.
How to Implement Standard Contractual Clauses
SCC implementation is a sequence. It starts with understanding what data is being transferred and ends with a review process that runs on a schedule. Each step builds on the last.
Step 1: Map Your Data Flows
Before signing anything, establish what data is being transferred, to which vendors, and for what purpose. You need to know which tools are receiving personal data from individuals located in the EU, where those tools are based, and whether any sub-processors are involved.
Step 2: Identify Which Transfers Need SCCs
Cross-reference your data map against countries with EU adequacy decisions. Any transfer to a non-adequate country without a valid mechanism in place needs SCCs.
This step often surfaces more gaps than teams expect, especially in tools that have been added over time without a formal review.
Step 3: Select the Correct Module
Determine your role — controller or processor — and your recipient’s role for each specific transfer. Then match that to the corresponding SCC module.
Different modules carry different obligations for each party, so the selection needs to reflect how the relationship actually works, not a default choice.
Step 4: Conduct a Transfer Impact Assessment
Assess the legal environment of the destination country. Research surveillance laws, government access rights, and whether courts in that country offer effective legal remedies for data subjects.
Document findings and any supplementary measures you’re putting in place. Each TIA should be specific to the transfer, not carried over from another vendor’s assessment. Treat it as a living document that needs revisiting when laws change.
Step 5: Execute the SCCs
Sign the SCCs as an annex to your data processing agreement or as a standalone document. Complete all annexes with the specific details of the transfer, including the type of data, the purpose, and the parties involved. Both sides need to understand what they’re signing, not just countersign and file.
Step 6: Store, Maintain, and Review
Once signed, SCCs should be stored centrally alongside the corresponding data processing agreement and TIA so they can be retrieved quickly if a data protection authority requests them. A shared compliance folder or contract management system works well for this.
Set a formal review cadence. Annually is a reasonable baseline, but reviews should also be triggered by specific events, such as when a vendor updates its sub-processors, the legal landscape changes in a destination country, or a new tool is added to your stack. Regulators expect documentation to be up to date.
Common Mistakes Marketing Teams Make When Implementing SCCs
SCC compliance involves multiple moving parts — modules, assessments, vendor relationships, and documentation — all of which need to stay current. Below are the most common mistakes and how to avoid them.
Using Outdated Clauses
The 2021 SCCs replaced the old versions entirely. Contracts still referencing the old clauses offer no legal protection for transfers made after December 2022.
Skipping the TIA
A data transfer impact assessment is not optional. Incomplete transfer documentation has featured in enforcement actions across multiple EU member states.
Selecting the Wrong Module
Different modules carry different obligations for each party. The contract needs to reflect the actual relationship, not a default choice.
Missing Smaller Vendors
Major platforms get attention. Niche tools in the marketing stack often don’t. Every vendor processing EU personal data outside the EU needs to be assessed.
Confusing SCCs with Consent
SCCs cover the transfer mechanism. A separate legal basis is required for collection. Both are required, and neither substitutes for the other.
Filing and Forgetting
GDPR standard contractual clauses need to be reviewed when vendor sub-processors change, when laws shift, and when new tools are added to your stack.
Consent and SCCs
Standard contractual clauses provide a legal mechanism for transferring personal data. But they don’t address whether that data was collected lawfully in the first place. That obligation sits earlier in the chain.
In practice, many international transfers begin with cookies and tracking technologies. These tools often send data outside the EU as soon as they are activated. Under the GDPR, that activation requires a valid consent signal.
SCCs govern what happens after the data is transferred. Consent determines whether the transfer should happen at all.
This is where a consent management platform (CMP) becomes critical. It captures and stores user consent so that tracking technologies only activate when a valid legal basis exists. Without that layer, even well-structured SCCs can be undermined.
If the collection layer is not compliant, the transfer mechanism alone will not fix it.
Managing Compliance During International Data Transfers
Standard contractual clauses are a core part of enabling international data transfers under GDPR. They provide the legal framework that allows data to move across borders in a structured, defensible way.
But SCCs don’t operate in isolation. Their effectiveness depends on how well they’re implemented within the broader data stack. This includes the right module, a documented transfer impact assessment, and consent properly captured before any data is collected, in addition to ongoing oversight as vendors and processing activities evolve.
When those elements are aligned, data transfers become consistent and explainable. Legal obligations are met at each stage, and the setup reflects how data actually moves through marketing and technology environments.
That is what allows international organizations to operate consistently across markets and demonstrate accountability to regulators.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
