Standard contractual clauses

Standard contractual clauses (SCC) are model contractual safeguards adopted by the European Commission through an implementing decision under Article 46(2)(c) GDPR. They enable the lawful transfer of personal data to a controller or processor in a third country for which the Commission has not issued an adequacy decision. By agreeing to the clauses, the data exporter and data importer commit to a level of data protection essentially equivalent to that of the GDPR and grant data subjects enforceable rights and effective legal remedies.

The new generation of SCC in force since 27 June 2021 (Commission Implementing Decision (EU) 2021/914) replaced the earlier sets of clauses and follows a modular structure. Four modules cover the typical scenarios: controller to controller, controller to processor, processor to processor, and processor to controller. The parties select the appropriate module, complete the annexes with details about the participants, the processing operations and the technical and organisational measures, and may not alter the wording of the clauses themselves. A so-called docking clause allows additional parties to accede at a later stage.

Since the Court of Justice's Schrems II ruling (Case C-311/18 of 16 July 2020), merely concluding the SCC is no longer sufficient. The data exporter must additionally assess whether the law and practice in the destination third country - in particular government access powers of public authorities - undermine the effectiveness of the clauses. This assessment is carried out within a transfer impact assessment; if protection gaps emerge, supplementary measures of a technical, organisational or contractual nature (such as strong encryption or pseudonymisation) must be implemented, or the transfer must be suspended. The SCC are therefore the starting point, not the end point, of a compliant third-country transfer.