Legal

Standard Contractual Clauses

Pre-approved contract terms for transferring personal data from the EU to countries without an adequacy decision.

Standard Contractual Clauses (SCCs) are sets of contractual terms and conditions approved by the European Commission that provide appropriate safeguards for international data transfers from the EU/EEA to countries that do not have an adequacy decision.

When SCCs Are Used

When a data controller or data processor in the EU transfers personal data to a recipient in a country without an adequacy decision (e.g. the United States), SCCs are the most commonly used legal mechanism to legitimise the transfer.

Current Version

The 2021 SCCs (Commission Implementing Decision 2021/914) cover four scenarios:

  1. Controller to controller
  2. Controller to processor
  3. Processor to processor
  4. Processor to controller

Supplementary Measures

Following the Schrems II ruling, organisations may need to implement supplementary measures (e.g. encryption, access controls) alongside SCCs to ensure the transferred data is protected against government surveillance.

GDPR Article 46(2)(c).

Related Terms

Data ControllerPrivacy

The entity that determines the purposes and means of processing personal data.

Data ProcessorPrivacy

An entity that processes personal data on behalf of a data controller.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Adequacy DecisionLegal

A determination by the European Commission that a non-EU country provides an adequate level of data protection.

Cross-Border TransferCompliance

The transfer of personal data from one country to another — subject to special rules under the GDPR.

Session CookieStorage Limitation