Standard Contractual Clauses (SCCs)
Pre-approved EU contractual terms providing data protection safeguards for international personal data transfers, with four modules covering different party relationships.
Pre-approved EU contractual terms providing data protection safeguards for international personal data transfers, with four modules covering different party relationships.
Continue your mission
Standard Contractual Clauses (SCCs) are pre-approved contractual terms adopted by the European Commission that provide appropriate data protection safeguards for transferring personal data from the EU/EEA to third countries. The current SCCs, adopted in June 2021, replaced the previous versions and introduced a modular approach covering four transfer scenarios between controllers and processors.
The 2021 SCCs consist of four modules: Module 1 (controller-to-controller), Module 2 (controller-to-processor), Module 3 (processor-to-processor), and Module 4 (processor-to-controller). Organizations select the appropriate module based on the roles of the data exporter and importer. Each module contains mandatory clauses covering purpose limitation, data minimization, transparency, security measures, sub-processor management, data subject rights, and breach notification. The clauses are supplemented with annexes detailing the specific transfer (data categories, processing operations, technical measures). Organizations must conduct a Transfer Impact Assessment evaluating whether the importer's country laws impinge on the protections in the SCCs, and implement supplementary technical, organizational, or contractual measures if gaps are identified.
SCCs are the most widely used cross-border transfer mechanism globally, relied upon by millions of organizations from startups to enterprises. Following Schrems II, SCCs alone are insufficient -- they must be paired with Transfer Impact Assessments and supplementary measures. Organizations using outdated pre-2021 SCCs are non-compliant. The European Data Protection Board actively audits SCC usage, and several DPAs have ordered transfer suspensions where SCCs were adopted without adequate supplementary measures.
CDA covers SCC implementation within the Data Protection and Sovereignty domain as a C-BUILD deliverable. Our missions guide organizations through module selection, annex documentation, Transfer Impact Assessment execution, supplementary measure identification, and ongoing monitoring of recipient country legal developments.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.