Glossary · EU-US Data Transfer Standard Contractual Clauses (SCCs)
EU-approved contractual templates that establish a legal basis for personal data transfers from the EU to non-EU countries lacking adequacy decisions.
## What SCCs actually are
Standard Contractual Clauses (SCCs) are pre-approved contractual templates published by the European Commission that establish a legal basis for transferring personal data from the EU to non-EU countries that lack adequacy decisions. SCCs are one of several mechanisms (along with adequacy decisions, BCRs, and derogations) that GDPR Article 46 allows for international data transfers.
The current SCCs were adopted in June 2021, replacing earlier 2010 and 2004 versions. The 2021 update was specifically designed to address Schrems II concerns by incorporating Transfer Impact Assessment requirements and providing clearer obligations for both parties.
## How SCCs work
SCCs are templates that organizations transferring data sign with their data processors or controllers in non-EU countries. The signed SCCs become legally binding contractual obligations that:
1. Require the data importer (non-EU recipient) to apply EU-equivalent data protection
2. Grant data subjects rights enforceable against the importer
3. Create obligations to assess and address legal differences in destination country
4. Establish liability and remedies for violations
## The four SCC modules
The 2021 SCCs include four modules covering different transfer scenarios:
### Module 1: Controller to Controller
Where both EU exporter and non-EU importer are data controllers — for example, a European company sharing customer data with a US partner that processes it for their own purposes.
### Module 2: Controller to Processor
Where the EU exporter is a data controller and the non-EU importer is a data processor — the most common scenario. Used when a European business uses a US-based SaaS provider as a processor (cloud storage, analytics, CRM, etc.).
### Module 3: Processor to Processor
Where both EU exporter and non-EU importer are data processors — for example, when a European cloud provider uses a US-based subprocessor.
### Module 4: Processor to Controller
Where the EU exporter is a data processor and the non-EU importer is a controller — less common; used when a European processor returns data to a non-EU controller.
For most European businesses, Module 2 is the most relevant — used whenever they engage US-based SaaS providers as processors.
## What SCCs require
Signed SCCs impose substantial obligations on both parties:
### On the data exporter (EU side)
- Conduct Transfer Impact Assessment before transfer
- Document supplementary measures where legal framework is inadequate
- Ensure recipient meets contractual obligations
- Notify data subjects about transfer in privacy notices
- Maintain records of processing including transfer details
### On the data importer (non-EU side)
- Apply EU-equivalent data protection principles
- Respect data subject rights as if EU controller
- Notify exporter of any government data access requests (where legally permitted)
- Challenge unlawful surveillance requests where possible
- Provide comprehensive information about local legal framework
- Submit to enforcement by EU data protection authorities
### On both parties
- Document all transfers and supplementary measures
- Cooperate with data protection authorities
- Maintain liability for violations including financial compensation
## Why SCCs are not sufficient on their own
The Schrems II ruling clarified that SCCs alone are not sufficient where destination country legal frameworks fall below GDPR's "essentially equivalent" standard. The court ruled:
1. SCCs remain valid as legal instruments
2. But data exporters must verify that contractual safeguards can compensate for legal differences
3. This verification is the [Transfer Impact Assessment](/en/glossary/transfer-impact-assessment/) (TIA)
4. If TIA shows contractual safeguards are insufficient, supplementary measures are required
5. If no combination of measures achieves adequate protection, transfer must not proceed
For US transfers specifically, this means SCCs + TIA + appropriate supplementary measures (typically encryption with EU-controlled keys, robust access controls, transparency mechanisms) — not SCCs alone.
## SCCs and the Data Privacy Framework
The EU-US Data Privacy Framework (DPF), adopted in 2023, simplified some US transfers. For transfers to DPF-certified US companies, the adequacy decision provides legal basis without requiring SCCs.
However, SCCs remain important:
- For US recipients not DPF-certified
- As fallback if DPF is invalidated (Schrems III scenario)
- For transfers to non-US countries lacking adequacy decisions
- For specific scenarios DPF doesn't cover
Most European businesses maintain SCCs in place for US transfers even when DPF coverage is available — providing legal redundancy.
## Common SCC implementation issues
Several patterns produce inadequate SCC implementation:
### 1. Generic templates without customization
SCCs are templates but require customization (Annex with specific transfer details, technical and organizational measures, etc.). Generic execution without customization doesn't meet requirements.
### 2. Missing TIAs
Signing SCCs without conducting TIAs is the most common compliance gap. Schrems II made TIAs mandatory, but many organizations haven't implemented the workflow.
### 3. Inadequate supplementary measures
Identifying supplementary measures without actually implementing them. Documentation should reflect actual deployment.
### 4. No periodic review
SCCs need periodic review when destination country law changes. The 2022 EO 14086 changed US framework — SCC-based transfers should have been reviewed.
### 5. Subprocessor chain documentation
When importers use sub-processors, those relationships need documentation. SCCs require flow-down to subprocessors but execution is often spotty.
## SCCs vs other transfer mechanisms
For European businesses choosing between transfer mechanisms:
| Mechanism | Best for | Operational complexity |
|---|---|---|
| **Adequacy decision** | Transfers to adequacy countries (UK, Switzerland, etc.) | Lowest |
| **DPF (where applicable)** | Transfers to certified US companies | Low |
| **SCCs + TIA** | Transfers to non-adequacy countries | Medium |
| **BCRs** | Intra-group transfers within multinational | High setup, low ongoing |
| **Derogations** | Specific narrow situations | Limited applicability |
For most European businesses with US providers, SCCs (potentially in addition to DPF) plus TIAs is the practical pattern.
## What 2026-2027 brings
Several factors affect SCC practice:
### Possible Schrems III
If DPF is invalidated, SCC + TIA returns to being primary US transfer mechanism. Volume of SCC-based transfers would increase substantially.
### Updated SCCs possible
The Commission may publish updated SCCs reflecting lessons from current implementation. Timeline uncertain but possible 2026-2027.
### Sector-specific approaches
Some industry sectors are developing standardized approaches to SCC implementation, reducing per-transfer compliance overhead.
### Tooling maturation
Legal tech tools (Palqee, Keepabl, others) increasingly support SCC management workflow.
## Practical implications
For European businesses managing transfers in 2026:
1. **Maintain SCCs for all non-adequacy transfers** — even those covered by DPF, as legal redundancy
2. **Customize SCC annexes** — generic templates aren't adequate
3. **Conduct and document TIAs** alongside SCC execution
4. **Implement supplementary measures actually** — don't just identify them on paper
5. **Periodic review of SCCs** — annual minimum, more if destination law changes
6. **Map sub-processor flow-down** — verify chain of SCC-equivalent obligations
For most European businesses, the operational answer remains: where possible, choose [EU-resident processing](/en/compliance/eu-data-residency/) to avoid SCC requirements entirely. Where US or other non-EU providers are necessary, maintain rigorous SCC implementation as ongoing compliance practice.
Was this helpful?
Thanks for your feedback!