SCC
What is SCC?
SCCStandard Contractual Clauses are EU Commission-approved model contracts that provide GDPR-compliant safeguards for transfers of personal data outside the EEA.
Standard Contractual Clauses (SCCs) are template contracts issued by the European Commission under Article 46(2) GDPR that provide appropriate safeguards for transfers of personal data from the EEA to third countries. The current set was adopted in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and uses a modular structure (controller-to-controller, controller-to-processor, processor-to-processor, processor-to-controller) so parties can select the role-appropriate modules. After Schrems II (C-311/18), data exporters must also conduct a Transfer Impact Assessment (TIA) and, where necessary, implement supplementary measures (encryption, pseudonymisation, contractual or organisational measures). UK exporters use the UK International Data Transfer Agreement (IDTA) or the UK Addendum.
● Examples
- 01
An EU controller signing Module 2 SCCs with a US cloud processor not certified under the DPF.
- 02
A European HR data exporter completing a Transfer Impact Assessment before signing SCCs with an Indian payroll vendor.
● Frequently asked questions
What is SCC?
Standard Contractual Clauses are EU Commission-approved model contracts that provide GDPR-compliant safeguards for transfers of personal data outside the EEA. It belongs to the Compliance & Frameworks category of cybersecurity.
What does SCC mean?
Standard Contractual Clauses are EU Commission-approved model contracts that provide GDPR-compliant safeguards for transfers of personal data outside the EEA.
How does SCC work?
Standard Contractual Clauses (SCCs) are template contracts issued by the European Commission under Article 46(2) GDPR that provide appropriate safeguards for transfers of personal data from the EEA to third countries. The current set was adopted in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and uses a modular structure (controller-to-controller, controller-to-processor, processor-to-processor, processor-to-controller) so parties can select the role-appropriate modules. After Schrems II (C-311/18), data exporters must also conduct a Transfer Impact Assessment (TIA) and, where necessary, implement supplementary measures (encryption, pseudonymisation, contractual or organisational measures). UK exporters use the UK International Data Transfer Agreement (IDTA) or the UK Addendum.
How do you defend against SCC?
Defences for SCC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SCC?
Common alternative names include: EU SCCs, 2021 SCCs, Standard Contractual Clauses.
● Related terms
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 357
DPF
EU-US Data Privacy Framework, the July 2023 adequacy mechanism that replaces Privacy Shield for transatlantic transfers of personal data.
- compliance№ 356
DPA
A Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf.