What Are Standard Contractual Clauses (SCCs)? A Plain-English Guide

What are Standard Contractual Clauses? See why SCCs exist, the four modules, when you need them, and how they differ from a DPA.


by Riad Us Salehin • 5 July 2026


Standard Contractual Clauses (SCCs) are pre-approved contract terms issued by the European Commission. Once both parties sign, they legally transfer personal data from the EU or EEA to a country without an adequacy decision. The clauses bind the importer and exporter to GDPR-level protection for that data.

This guide covers why SCCs exist, when you need them, the four modules, and how they compare to a data processing agreement. It also covers where the UK and other regions fit in.

Why Do Standard Contractual Clauses Exist? (Third Countries and Adequacy)

The GDPR blocks personal data from leaving the EU or EEA by default. A transfer is lawful only if the destination has an adequacy decision, or another Article 46 safeguard applies. SCCs are the most widely used safeguard when no adequacy decision exists.

The European Commission grants an adequacy decision to a country whose laws it judges essentially equivalent to the GDPR. The United States has no blanket adequacy decision. A company sending EU personal data to a US-based vendor needs a safeguard under the GDPR to make that transfer legal.

SCCs fill that gap. One Reddit user, describing a US-based data importer relationship, called SCCs a "contract template authorized by the EU Commission for this purpose". That description matches the Commission's own framing: a ready-made contract, not a negotiation.

The 2021 SCCs were built specifically to answer the Schrems II ruling (CJEU C-311/18, 16 July 2020). That ruling struck down the previous EU-US Privacy Shield and forced companies back onto contract-based safeguards. It is why the current SCCs carry a mandatory risk-assessment step the older clauses never had.

When Do You Actually Need SCCs?

You need SCCs when you, or a vendor acting for you, send EU or EEA personal data to a country without an adequacy decision. This applies only when no other safeguard already covers that transfer.

Two situations change the answer:

  • You do not need SCCs if the destination country has an adequacy decision. A US importer certified under the EU-US Data Privacy Framework, for example, receives data under that adequacy route instead. The framework has faced sustained legal challenges since it took effect, so confirm a vendor's certification is current on the official DPF registry before relying on it. See transferring EU personal data to the US for the full picture on that decision's status.
  • SCCs are one of several Article 46 safeguards. Binding Corporate Rules serve the same purpose for transfers within a single corporate group, rather than between separate companies.

The distinction plays out in real vendor reviews. On r/gdpr, buyers routinely flag that a SaaS tool is not certified under the EU-US Data Privacy Framework. Such a vendor relies on SCCs instead for its data transfers. That is exactly the due-diligence check any EU business should run on its vendors. It matters most for US companies handling EU data.

The Four SCC Modules Explained

The 2021 SCCs are modular. You select the module that matches the roles of the exporter and the importer, not a generic one-size contract.

ModuleData flowExporter roleImporter roleTypical example
Module 1Controller to controllerControllerControllerTwo independent companies sharing customer data for a joint marketing campaign
Module 2Controller to processorControllerProcessorA company sending customer data to a US-based SaaS vendor for processing
Module 3Processor to sub-processorProcessorSub-processorA vendor passing data to its own hosting or analytics sub-processor
Module 4Processor to controllerProcessorControllerAn EU-based processor returning collected data to a non-EU controller

Module 2 is the module most website owners encounter. It covers the controller and processor roles at play when a business sends visitor data to an overseas software vendor. Firebase and Google Cloud both publish their own Module 2 clauses for this reason. Their customers are controllers sending data to a processor outside the EU.

Module 3 shows up further down the chain. Practitioners on r/gdpr adding a new sub-processor confirm you need fresh SCCs between yourself and each new sub-processor you bring in. That is Module 3 in practice. The original processor becomes the exporter, and the sub-processor becomes the importer.

The 2021 Modernized SCCs vs the Old Clauses

On 4 June 2021, the European Commission adopted a modernized set of SCCs. They were built for the GDPR and the Schrems II ruling. The new set replaced three older sets issued in 2001, 2004, and 2010 under the previous Data Protection Directive.

The transition was not optional and had firm cutoffs. Any contract signed after 27 September 2021 had to use the new 2021 SCCs. Existing contracts that already relied on the older clauses had until 27 December 2022 to switch. Past that date, the old clauses can no longer be relied on for an EU transfer.

The practical difference is not only the calendar. The 2021 SCCs added the modular structure, the mandatory Transfer Impact Assessment, and explicit third-party-beneficiary rights for the individuals whose data moves. The 2001, 2004, and 2010 clauses had none of that: a fixed, non-modular text with no assessment requirement.

How Do SCCs Work? Signing, Annexes, and Obligations

To use SCCs, the exporter and importer insert the correct module into their contract. They complete the annexes describing the parties and the data, sign the clauses, and take on binding obligations, including giving data subjects directly enforceable rights.

The annexes carry the specifics: who the parties are, what categories of data and data subjects are involved, and what security measures protect the data. A docking clause, if the parties include it, lets additional parties join the same contract later without renegotiating from scratch.

Do SCCs Need to Be Signed?

Yes. The SCCs "have to be signed by and binding on all parties, and incorporated into their contract," per the European Commission's own Q&A. The parties complete the annexes and select the applicable module, but the core clause text cannot be rewritten.

The only permitted changes are narrow. Parties may select the module and its options, complete the text where the clauses call for it, fill in the annexes, or add stronger safeguards. Anything else breaks the "standard" in Standard Contractual Clauses. A modified core text no longer qualifies as an SCC-based safeguard.

The Transfer Impact Assessment (and Why SCCs Are Not a Silver Bullet)

Signing SCCs is not enough on its own after Schrems II. Clause 14 requires the exporter and importer to run a Transfer Impact Assessment. It documents whether the destination country's laws and government-access practices could stop the importer from honoring its SCC obligations.

Where the assessment finds a real risk, the parties must add supplementary measures on top of the signed clauses. Stronger encryption and data minimization are common examples. The importer also has to promptly tell the exporter about any binding government request for the transferred data.

This limitation shows up in real transfer scenarios, not just in the text. Practitioners on r/gdpr discussing a transfer to China put the risk directly.

SCCs alone aren't a shield against Art. 44 risks in China without localized servers and EU-controlled encryption keys.

A signed contract cannot override the destination country's surveillance laws. The assessment step exists to catch that gap before data moves.

SCCs vs a Data Processing Agreement (DPA): What Is the Difference?

A data processing agreement (DPA) governs how a processor handles data for a controller, under GDPR Article 28. SCCs are the Article 46 safeguard that makes an international transfer of that same data lawful. They often live inside the same signed document, but they solve two different problems.

AttributeData Processing Agreement (DPA)Standard Contractual Clauses (SCCs)
GDPR basisArticle 28Article 46
PurposeGoverns how a processor may handle data for a controllerLegalizes a restricted international transfer
Always required?Whenever a controller uses a processor, EU-based or notOnly for transfers to a country without an adequacy decision
Fixed wording?No, freely drafted between the partiesYes, pre-approved text that cannot be substantively altered

The overlap runs deeper than the split above suggests. Modules 2 and 3 of the 2021 SCCs were written to carry the same processor obligations Article 28 already requires. Practitioners describe the SCCs as similar to a DPA that also binds the importer to the GDPR's statutory processor duties.

Many companies therefore embed the SCCs directly as an annex to their DPA, so one signed document satisfies both Article 28 and Article 46. That structural overlap is exactly why the two documents get confused so often.

SCCs Beyond the EU: the UK IDTA, the Addendum, and Other Regions

The EU SCCs cover EU and EEA transfers only, so several other jurisdictions built their own equivalents.

  • United Kingdom: the International Data Transfer Agreement (IDTA), a standalone contract published by the UK's Information Commissioner's Office. Or the UK Addendum, a bolt-on that attaches to the EU SCCs for organizations already using them for their UK GDPR transfers. Both took effect 21 March 2022. Contracts still relying on the old, pre-2021 EU SCCs for UK transfers had to switch to the IDTA or Addendum by 21 March 2024. Before using the IDTA, the exporter must run a Transfer Risk Assessment, the UK counterpart to the EU's Transfer Impact Assessment.
  • Switzerland: its own recognized standard contractual clauses cover transfers leaving Switzerland, separate from the EU set.
  • Other regions: standardized model clauses now also exist in Brazil, China, Turkey, Saudi Arabia, and across the ASEAN bloc.

The UK's Addendum route exists for organizations operating on both sides of the Channel. If you already use the EU SCCs for your European transfers, bolting on the Addendum avoids a second, separate IDTA contract for the same relationship.

How Consently Uses Standard Contractual Clauses

Consently incorporates the European Commission's Standard Contractual Clauses, specifically Module 2 (controller-to-processor), directly into its own customer Data Processing Agreement. It also hosts customer data on EU-based servers.

When you use Consently, Dorik, Inc. acts as a data processor for you, the controller, for the consent, cookie, and policy data the platform collects on your site. Consently's servers run in the European Union, which limits how much of your data ever needs an international-transfer safeguard in the first place. The customer DPA that ships with every plan already has the Module 2 SCCs built in, alongside a maintained subprocessor list.

You may also need to disclose your own site's data transfers to visitors. Consently's privacy policy generator helps you cover that inside what a privacy policy is for them. That disclosure is one of your core website legal documents. Consently also ships a privacy policy template and a matching cookie policy template as starting points.

Consently is a consent management tool, not a data-transfer-compliance product. It does not sign SCCs on your behalf with your own vendors, and it does not run your Transfer Impact Assessments. It does not by itself make your own US analytics or hosting arrangements lawful.

Its generators help you produce disclosures; they are not a substitute for legal advice. See Consently's DPA or start a free trial to check how your account's data flows are covered.

FAQs

Are standard contractual clauses still valid?

Yes. The 2021 EU SCCs remain valid and are the most widely used GDPR transfer safeguard. The older 2010 clauses were phased out for new contracts after 27 September 2021, and for existing contracts after 27 December 2022. They can no longer be relied on for an EU transfer.

Do SCCs need to be signed?

Yes. The SCCs must be signed by and binding on all parties, and incorporated into the contract. The parties complete the annexes and choose the applicable module, but cannot rewrite the core clause text.

What is the difference between SCCs and a DPA?

A DPA, under GDPR Article 28, governs how a processor handles data for a controller. SCCs, under Article 46, legalize an international transfer of that data. The two frequently appear in the same document but answer different legal questions.

Do I need SCCs if my vendor is certified under the EU-US Data Privacy Framework?

No, not for that specific transfer. An actively DPF-certified US importer receives data under an adequacy route instead of SCCs. Verify the certification is current before relying on it, since the framework has faced ongoing legal challenges since it took effect.

Can you modify the text of the SCCs?

No. The clauses are pre-approved and cannot be altered. The only exceptions are selecting the applicable module and its options, completing the annexes, or adding safeguards that increase protection.

What are the four modules of the SCCs?

Module 1 covers controller-to-controller transfers, Module 2 covers controller-to-processor, Module 3 covers processor-to-sub-processor, and Module 4 covers processor-to-controller. You select the module matching the two parties' actual roles.

Who are the data exporter and data importer in SCCs?

The data exporter sends the personal data, usually from inside the EU or EEA. The data importer receives it in the third country. Both parties sign the clauses and take on binding obligations under them.

Are the old (2010) standard contractual clauses still usable?

No, not for EU transfers. New contracts have needed the 2021 SCCs since 27 September 2021, and existing contracts had to switch by 27 December 2022. UK contracts relying on the old EU SCCs had to move to the IDTA or UK Addendum by 21 March 2024.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.