Contract Creation & Templates

Standard Contractual Clauses: Definition and Relevance in Data Privacy

Standard Contractual Clauses (SCCs) are the European Commission's model clauses that make it lawful to transfer personal data outside the EU under the GDPR. Learn what SCCs mean, when you need them, and how to implement them.

TD
Published September 3, 2024·Updated July 16, 2026
8 min read
More on this topic

Standard Contractual Clauses (SCCs) are the European Commission's model clauses that make it lawful to transfer personal data outside the EU under the GDPR. Learn what SCCs mean, when you need them, and how to implement them.

Data protection has become one of the defining concerns of the digital economy. Standard Contractual Clauses (SCCs) are one of the most important tools for keeping personal data protected when it crosses borders. They ensure that the personal data of people in the EU stays just as protected after it is transferred to a third country as it would be inside the European Union — which matters not only to the companies moving the data, but to every individual who trusts an organisation with it.

SCCs exist because international business needs a legal way to let data flow between different legal systems without lowering the level of protection. Without a mechanism like this, cross-border trade and communication would grind to a halt. This article explains what SCCs are, the legal framework behind them, how to put them into practice, and the challenges and criticism that surround them.

What are Standard Contractual Clauses? (SCC meaning)

Standard Contractual Clauses (SCCs) are pre-formulated model data protection clauses issued by the European Commission that let organisations transfer personal data outside the EU while preserving the level of protection required by the General Data Protection Regulation (GDPR). In plain terms, SCCs are a standardised contract that keeps personal data protected even when it is sent to countries outside the EU, where data protection standards may be weaker.

The clauses set out what data controllers and processors must do when they transfer data to keep it secure — covering both technical and organisational measures. They spell out the responsibilities of each party and confirm the rights that data subjects keep, such as the right to access, rectify, or erase their data. Because the wording is fixed and approved in advance, both sides know the safeguards meet the GDPR's standard without having to negotiate them from scratch.

The European Commission's Standard Contractual Clauses documents used to safeguard international personal data transfers

History and development of SCCs

The story of SCCs runs in parallel with the wider development of EU data protection law. Early this century, as the EU recognised the need to protect personal data across national borders, the first sets of SCCs were introduced. These early versions aimed to guarantee a baseline level of protection and build trust in international data transfers.

A key milestone was the Data Protection Directive 95/46/EC in 1995, which set legally binding conditions for protecting personal data and paved the way for the clauses that followed. SCCs have been revised several times since to keep pace with legal and technological change. The most significant overhaul came in 2021, when the European Commission published modernised SCCs tailored specifically to the GDPR — including a modular structure that covers different transfer scenarios (controller-to-controller, controller-to-processor, and so on) and reflects the Court of Justice's Schrems II ruling.

Legal basis of the Standard Contractual Clauses

The legal basis for SCCs sits in the GDPR itself, specifically Article 46, which governs transfers of personal data to third countries. Under the GDPR, personal data may only be transferred to a third country if an adequate level of protection is guaranteed. SCCs provide exactly that guarantee and are recognised by the European Commission as an appropriate safeguard.

In practice, any company or organisation that wants to transfer EU residents' data to a country outside the European Economic Area (EEA) must either use the Commission's SCCs or rely on another recognised safeguard, such as Binding Corporate Rules (BCRs). The clauses are designed to protect individuals' rights and freedoms and to prevent their data from being misused or left inadequately protected. For the bigger picture of how these transfers fit into your obligations, see our practical GDPR compliance guide.

The role of SCCs in data transfers

SCCs are central to global trade and communication. They give companies a lawful, secure way to transfer data to countries that do not have an "adequacy decision" from the Commission. They function as a contractual safety net, keeping data subjects' rights intact throughout the transfer.

A common example is a European company using cloud services from a US provider. By putting SCCs in place, the European company can require the US provider to uphold the same data protection standards as in the EU, even though the data physically sits on servers in the United States. That matters most for sensitive data — health records, financial information, and other personal data that needs extra protection. SCCs typically live inside a broader data processing agreement that governs how a processor handles the data on your behalf.

A European company transferring personal data to a cloud provider under Standard Contractual Clauses

Challenges and criticism of Standard Contractual Clauses

Challenges in day-to-day use

Putting SCCs into practice comes with real hurdles. The biggest is capacity: companies, especially small and medium-sized enterprises (SMEs), often lack the resources and in-house expertise to fully understand and implement the requirements. That gap can lead to compliance risks and, ultimately, data breaches.

A second challenge is that data protection law never stands still. Companies have to meet today's requirements while staying ready for tomorrow's — which is both time-consuming and costly. They also have to make sure every partner and service provider actually lives up to the agreed standards, and that means continuous monitoring and regular audits rather than a one-time check.

Criticism and room for improvement

Useful as they are, SCCs draw criticism from data protection experts and companies alike. A frequent complaint is that they are too rigid. In a world where technology moves fast, companies want flexible, adaptable solutions that fit their specific needs — and fixed model wording can feel like a poor match.

The other recurring criticism is administrative burden. Many organisations find the paperwork extensive and complicated. More guidance and support from data protection authorities would help, and clearer, more practical implementation guidelines would go a long way toward simplifying the process.

How to implement SCCs in your organisation

Rolling out SCCs is a structured project rather than a single signature. The core steps are:

  • Map and assess your data flows: identify every international data transfer your organisation makes, and who receives the data.
  • Integrate the right clauses: select the correct SCC module for each scenario, adapt it to your specific transfers, and build it into your contracts with third-party providers.
  • Add supplementary measures: implement extra technical and organisational safeguards — such as encryption or pseudonymisation — where a transfer impact assessment shows they are needed.

After roll-out, run regular reviews and audits to confirm the clauses are still being followed and to keep improving your data protection measures as circumstances change.

Best practices for SCC compliance

To keep SCC compliance on track over the long term, a few habits make the difference. Build an internal data protection programme that continuously monitors and updates your safeguards, and make sure everyone who works with personal data is trained on what the clauses require.

Documentation is the other pillar. Keep records of all data-protection-relevant activities and decisions, and review and update them regularly so your processes always match current legal requirements. Finally, stay proactive: use regular data protection audits and risk assessments to catch and reduce potential risks before they turn into breaches.

Frequently asked questions about Standard Contractual Clauses

What do SCCs stand for?

SCC stands for Standard Contractual Clauses — the model data protection clauses issued by the European Commission for transferring personal data outside the EU under the GDPR.

When do you need Standard Contractual Clauses?

You need SCCs (or another Article 46 safeguard) whenever you transfer personal data of people in the EU to a country outside the EEA that does not benefit from an EU adequacy decision — for example, when using a US-based cloud or SaaS provider.

What is the difference between SCCs and Binding Corporate Rules?

SCCs are a standardised contract used between separate organisations for a specific transfer. Binding Corporate Rules (BCRs) are internal, regulator-approved policies used to move data within a single corporate group. SCCs are faster to adopt; BCRs suit large multinationals with many intra-group transfers.

Are the old Standard Contractual Clauses still valid?

No. The pre-2021 SCCs were phased out. Since 2021, transfers must use the modernised SCCs adopted by the European Commission, which reflect the GDPR and the Schrems II ruling and use a modular structure for different transfer scenarios.

Do SCCs on their own guarantee compliance?

Not automatically. Following Schrems II, you must also assess whether the destination country's laws undermine the clauses (a transfer impact assessment) and add supplementary measures where needed.

Ready for the next step?

Book a demo with our team and see top.legal in action

More on the topic