Standard Contractual Clauses (SCCs): GDPR Guide for 2026

Standard Contractual Clauses (SCCs) are the most widely used mechanism for transferring personal data from the EU/EEA to third countries without an adequacy decision. The European Commission released the modernized SCCs on 4 June 2021 under Decision (EU) 2021/914, replacing the legacy 2001-2010 templates. After Schrems II (CJEU C-311/18), SCCs alone are not enough — exporters must also conduct a Transfer Impact Assessment (TIA) documenting that the destination country offers protection essentially equivalent to the GDPR.

This guide explains the four SCC modules, when each applies, how to structure the TIA, and what changed in 2024-2026 with the EU-U.S. Data Privacy Framework (DPF), the renewed Swiss adequacy decision, and the UK Addendum.

For the broader cross-border framework, see our GDPR cross-border data transfers guide. For the supervisory infrastructure, GDPR supervisory authority overview.

Key takeaways

• SCCs are GDPR Article 46(2)© safeguards that enable transfers to non-adequate third countries.
• The 2021 SCCs use a modular architecture: Module 1 (controller-to-controller), Module 2 (controller-to-processor), Module 3 (processor-to-processor), Module 4 (processor-to-controller).
• A Transfer Impact Assessment (TIA) is mandatory under Schrems II and the EDPB Recommendations 01/2020.
• For US transfers, the EU-U.S. Data Privacy Framework (in force 10 July 2023) replaces SCCs for self-certified US organizations — no SCCs needed.
• Legacy SCCs (2001/2010) are no longer valid. All transfers must use 2021 SCCs or the EU-U.S. DPF.

1. The four SCC modules

The 2021 SCCs cover four transfer scenarios. Selecting the wrong module invalidates the safeguard.

Module	Scenario	Typical use case
Module 1	Controller → Controller	Two independent businesses sharing customer data (joint marketing campaign, B2B referrals)
Module 2	Controller → Processor	EU customer using a non-EU SaaS without DPF certification
Module 3	Processor → Processor	Sub-processor chain crossing EU borders (e.g., EU SaaS sub-contracting to non-EU support team)
Module 4	Processor → Controller	Non-EU vendor returning processed data to an EU controller (rare in practice)

The same agreement can combine multiple modules if the parties switch roles for different processing operations. Annex I and Annex II must be completed for each module independently.

2. The mandatory annexes

The SCCs themselves are non-negotiable boilerplate. The annexes are where the work happens:

Annex I.A — List of Parties

Identify exporter and importer with full legal names, addresses, signatory representatives, and contact data of the data protection officer (where designated).

Annex I.B — Description of the Transfer

• Categories of data subjects (customers, employees, prospects, suppliers…)
• Categories of personal data (identifiers, contact data, financial data, health data, etc.)
• Sensitive data (Article 9 categories) — flag explicitly with applicable safeguards
• Frequency of the transfer (continuous, batch, on-request)
• Nature of the processing
• Purpose of the transfer
• Retention period
• For sub-processors: subject matter, nature, and duration of the sub-processing

Annex I.C — Competent Supervisory Authority

The lead supervisory authority of the controller’s establishment in the EU. Cannot be left blank.

Annex II — Technical and Organizational Measures

Specific to the transfer. Generic copy-paste fails. Must cover:

• Pseudonymization and encryption
• Confidentiality, integrity, availability, resilience
• Backup and disaster recovery
• Testing of security measures
• User identification and authorization
• Physical security
• Data minimization, quality, retention
• Incident response

For US transfers under SCC, this annex is critical: it documents the technical measures (e.g., end-to-end encryption with EU-held keys) that supplement the SCCs and address Schrems II concerns about US surveillance access.

Annex III — List of Sub-Processors (Module 2 and 3)

Names and locations of sub-processors. Must be updated when sub-processors change.

3. The Transfer Impact Assessment (TIA)

Schrems II requires the exporter to assess whether the destination country’s law provides essentially equivalent protection. The EDPB Recommendations 01/2020 provide a six-step methodology:

Step 1 — Know the transfer

Map every transfer: data, recipient, country, purpose, retention. Without a precise inventory, the TIA is impossible.

Step 2 — Identify the transfer tool

Adequacy decision, SCCs, BCRs, certification, or derogation. Most transfers under TIA scope use SCCs.

Step 3 — Assess the third country law

Critical step. Examine:

• Public authority access laws (FISA 702, EO 12333 for US; comparable for other countries)
• Practical implementation (case law, transparency reports, rulings)
• Data subject redress mechanisms
• Comparison with Schrems II benchmarks

For high-risk countries (US hors DPF, China, India, Russia), a problematic finding is likely. Document it.

Step 4 — Identify supplementary measures

If the third country falls short, add measures to bring protection up to standard:

• Technical: end-to-end encryption with keys held by the exporter only, pseudonymization, split processing
• Contractual: notification obligations on government access requests, transparency reports, audit rights
• Organizational: data minimization, processing isolation, access controls

Step 5 — Procedural steps

Implement the supplementary measures. Document.

Step 6 — Re-evaluate

TIAs are not one-shot. Reassess at least annually, and immediately if:

• The destination country’s law changes
• A new transparency report or court ruling reveals new risks
• The processing scope changes

4. SCCs and the EU-U.S. Data Privacy Framework

The EU-U.S. Data Privacy Framework entered into force on 10 July 2023, replacing Privacy Shield. For US organizations self-certified under DPF:

• Transfers from EU to certified US recipients are treated as transfers to an adequate country
• No SCCs required, no TIA required
• Verification: check the recipient’s certification status on dataprivacyframework.gov

For US organizations not certified, SCCs + TIA + supplementary measures remain mandatory.

Risk: a “Schrems III” challenge to DPF could invalidate it. Best practice in 2026: maintain SCCs and TIA documentation in parallel as a fallback, even for DPF-certified recipients.

5. SCCs and the UK GDPR

The UK left the EU in 2020 and operates under the UK GDPR. The UK Information Commissioner’s Office (ICO) issued the International Data Transfer Agreement (IDTA) and UK Addendum to EU SCCs in March 2022.

Two options for UK exporters:

1. IDTA standalone for UK-only transfers
2. EU SCCs + UK Addendum for joint EU-UK exporters (most common)

The UK Addendum modifies references to EU law and substitutes ICO as competent supervisory authority. It is signed alongside the EU SCCs.

6. SCCs and Switzerland

The Swiss Federal Council issued Swiss SCCs mirroring the 2021 EU SCCs with adaptations referencing nLPD and PFPDT. For transfers from Switzerland to non-adequate third countries, either:

1. Swiss SCCs of the Federal Council
2. EU SCCs with Swiss adaptation annex (recognized by PFPDT)

For details on Swiss data flows, see data transfers to Switzerland under nLPD.

7. Common SCC implementation errors

1. Using legacy 2001/2010 SCCs — invalid since 27 December 2022. Re-sign with 2021 SCCs.
2. Missing TIA — Schrems II requires it. CNIL and Irish DPC have sanctioned multiple controllers for absence.
3. Generic Annex II — copy-paste of “industry standard security” is insufficient.
4. Wrong module — using Module 2 (controller-to-processor) when the recipient is actually a controller invalidates the safeguard.
5. Sub-processor cascade missing — for Module 3, all sub-processors must be in Annex III with their own SCCs.
6. Transparency obligations skipped — Article 13/14 GDPR requires informing data subjects of the country of recipient and the safeguard mechanism.
7. Outdated DPF check — if relying on DPF, verify certification annually. Lapsed certifications void the basis.

8. Practical case: EU SaaS using US sub-processor (no DPF)

EU SaaS company (controller-to-controller customer relationship) uses a US-based AI vendor for content moderation. The vendor is not DPF-certified.

SCC architecture:

• EU SaaS = controller, US vendor = processor → Module 2
• Annex I.B: data subjects = end users, data = uploaded content, frequency = continuous, retention = 90 days
• Annex II: end-to-end encryption with EU-held keys, content stored in tokenized form, US vendor can only see hashed inputs
• Annex III: list of any further sub-processors of the AI vendor

TIA:

• Step 3: US has FISA 702 and EO 12333 access — problematic
• Step 4: technical measure = encryption with EU keys means actual content is unreadable to US authorities
• Step 5: documented, signed, retained

Transparency: privacy policy mentions US AI vendor, country, SCC mechanism, EDPB recommendations.

This setup is defensible. Without the encryption supplement, it would not be.

9. Automating SCC and TIA management

For a company with 20+ international vendors, manual SCC management becomes intractable. Legiscope maps international data flows automatically by parsing DPAs, flags missing or expired SCCs, generates TIA templates per destination country, and alerts when DPF certifications lapse. The platform aligns GDPR + nLPD requirements for companies operating in both regimes.

For UK-specific guidance, see our UK GDPR transfer overview. For TIA methodology, Transfer Impact Assessment guide. For mechanism comparison, BCR vs SCC vs DPF.

Conclusion

Standard Contractual Clauses are not a substitute for due diligence — they are the contractual foundation on which the Transfer Impact Assessment, supplementary measures, and ongoing monitoring sit. The 2021 SCCs are robust; the failure mode is almost always implementation: wrong module, blank annexes, missing TIA, or generic security claims. A controller using SCCs without these supporting elements is exposed to the same enforcement risk as one with no transfer mechanism at all.

FAQ

Are SCCs still valid after Schrems II?

Yes, but with conditions. The CJEU ruled SCCs are valid only if the exporter can ensure the destination country provides essentially equivalent protection. This requires a Transfer Impact Assessment and, if necessary, supplementary measures (technical, contractual, organizational).

Do I need SCCs for transfers to the United States?

It depends on the recipient. If the US recipient is self-certified under the EU-U.S. Data Privacy Framework, no SCCs are required. For all other US recipients, SCCs + TIA + supplementary measures are mandatory.

How often should I update the TIA?

At least annually, and immediately when: (1) the destination country’s law changes, (2) new public information (transparency reports, court rulings) emerges, (3) the processing scope or vendor changes.

Can I use the same SCC for multiple data transfers?

Yes, if the data, purposes, and recipients are within the scope described in the annexes. New transfers requiring different categories of data or different recipients require an updated SCC or a new agreement.

What happens if my SCC counterparty refuses to sign the 2021 SCCs?

The transfer cannot rely on SCCs. Alternative paths: identify if the recipient qualifies for an adequacy decision (UK, Switzerland, etc.), check DPF certification (US), or use derogations under Article 49 GDPR. Refusing to sign 2021 SCCs is a strong signal of compliance gaps.