Standard Contractual Clauses for Data Transfers

Standard Contractual Clauses for Data Transfers

Updated: June 2026

If you send personal data from the EU or the UK to countries such as the US, India, or China, you need to comply with applicable legal frameworks. Standard contractual clauses are the primary tool that businesses use to legally transfer personal data internationally in compliance with data protection regulations.

These pre-approved contracts from regulators enable you to transfer personal data to third countries, ensuring the data is subject to adequate protection measures equivalent to local standards.

Signing standard contractual clauses is no longer sufficient on its own. Since the Schrems II ruling, you must also conduct risk assessments and implement additional safeguards when necessary.

Key Takeaways

Standard contractual clauses are pre-approved legal contracts that allow data transfers to countries without adequacy decisions from data protection authorities.

You must use the correct version – EU SCCs for European Union data, UK versions for UK data transfers.

Every transfer requires a transfer risk assessment to evaluate if the destination country’s laws could undermine the contractual clauses.

What are Standard Contractual Clauses?

Standard contractual clauses are template legal agreements provided by the European Commission and UK regulators, allowing organisations to transfer personal data to third countries outside the European Economic Area.

Their core purpose is to ensure that personal data transfers receive the same level of protection abroad as they would under EU GDPR or UK GDPR.

Unlike binding corporate rules, which require lengthy regulatory approval processes, standard contractual clauses offer a ready-made solution. You can implement them immediately without waiting for your relevant data protection authority to review your specific transfer arrangements.

These contractual clauses create legally binding obligations for data importers. The receiving organisation must implement appropriate safeguards and grant data subjects the same rights they’d have under European Union or UK data protection laws.

For most organisations handling international data transfers, standard contractual clauses represent the most practical transfer mechanism available.

EU SCCs vs UK SCCs: which version do you need?

Following Brexit, the EU and the UK developed separate versions of standard contractual clauses. You must use the correct clauses based on where your data originates, not where it’s going.

What SCCs apply to data leaving the EU?

New EU SCCs: The European Commission issued new Standard Contractual Clauses (SCCs) on 4 June 2021. All new contracts since 27 September 2021 must use the new SCCs.

For existing contracts using the old SCCs (those signed before 27 September 2021), the EU allowed a transition period. The critical cutoff was 27 December 2022.

The new SCCs feature a modular structure with four different modules:

• Module 1: Controller-to-controller transfers

• Module 2: Controller-to-processor transfers

• Module 3: Processor-to-processor transfers

• Module 4: Processor-to-controller transfers

This modular approach lets you include only the clauses relevant to your specific transfer scenario, whether you’re working within corporate groups or with external data importers.

What applies to data leaving the UK?

You have two options for transferring personal data from the UK:

1. International Data Transfer Agreement (IDTA): The UK’s standalone version is designed specifically for UK data transfers.

2. UK Addendum: A short attachment that converts new EU SCCs into a compliant solution for UK transfers.

The UK addendum works particularly well when the same data transfer involves both EU and UK personal data. Instead of managing separate agreements, you can use EU SCCs with the UK addendum attached.

Which version of SCCs should you use?

• EU origin data: Use the new EU SCCs (2021 version).

• UK origin data: Use IDTA or EU SCCs plus UK addendum.

• EU to UK transfers: Generally, no standard contractual clauses are needed due to adequacy decisions.

Why are SCCs alone no longer sufficient after Schrems II?

The Schrems II ruling, issued in July 2020, changed the way standard contractual clauses operate. The court found that simply signing these agreements is not sufficient if the destination country’s laws could undermine the promised protections.

This ruling specifically targeted US government surveillance laws under FISA 702 and Executive Order 12333, which were found to be incompatible with EU privacy rights.

What must a Transfer Impact Assessment include?

Every organisation using standard contractual clauses must now conduct and document a transfer impact assessment (for EU transfers) or transfer risk assessment (for UK transfers).

This assessment must include:

1. Map your transfer: Document what data you’re sending, to whom, and where it’s going.

2. Identify your safeguards: Specify which standard contractual clauses or international data transfer agreement you’re using.

3. Assess destination country laws: Evaluate whether local surveillance, law enforcement access, or other legal frameworks could override your contractual protections.

4. Implement supplementary measures: Add technical, organisational, or contractual safeguards if you identify risks.

5. Document everything: Keep detailed records and update them when relevant laws change.

Data protection authorities across multiple jurisdictions now expect organisations to demonstrate these steps during compliance reviews.

What supplementary measures might be needed?

Common supplementary measures include:

• Technical safeguards: Encryption, pseudonymisation, data minimisation.

• Organisational measures: Staff training, access controls, regular audits.

• Contractual commitments: Additional privacy warranties, notification requirements.

The specific circumstances of your transfer determine which measures are required.

When do you need Standard Contractual Clauses?

Knowing when standard contractual clauses apply helps businesses understand the rules around international data transfers.

What SCCs does a UK company using US cloud services need?

Most US providers don’t have UK adequacy status (except those certified under the UK-US Data Bridge programme). If your provider isn’t certified, you’ll need either the IDTA or EU SCCs with UK addendum, plus a transfer risk assessment.

This scenario affects thousands of UK businesses that use services such as AWS, Google Cloud, or Microsoft Azure to process personal data.

What about EU data transfers to India?

India doesn’t have an adequacy decision from the European Commission. Any personal data transfers to Indian processors require new EU SCCs and a comprehensive transfer impact assessment.

Given India’s developing data protection compliance framework, your assessment will likely identify areas requiring supplementary measures. For a broader perspective, consider how DPIA requirements vary across global jurisdictions.

What are the requirements for data transfers to China?

China presents challenges beyond standard contractual clauses. Chinese regulations require any data transfer agreements to be filed with cybersecurity authorities within 10 business days of signing.

This creates an additional administrative burden on top of standard transfer impact assessment requirements.

When do you not need Standard Contractual Clauses?

UK-to-Canada transfers typically don’t require standard contractual clauses because Canada has UK adequacy status, provided the data importer falls under Canadian privacy law (PIPEDA).

Similarly, transfers between EU member states within the European Economic Area don’t need these agreements.

How can GDPRLocal help with Standard Contractual Clauses?

Managing compliant international data transfers requires expertise across multiple jurisdictions and ongoing monitoring of regulatory updates. Here’s how we help organisations ensure compliance:

How does GDPRLocal select the right framework for data transfers?

We analyse your specific data flows to determine whether you need EU SCCs, the UK addendum, or IDTA for each transfer relationship. This includes mapping intra-group transfers and complex multi-party arrangements.

How does GDPRLocal conduct transfer risk assessments?

Our team conducts detailed transfer impact and risk assessments that meet regulatory expectations. We evaluate the laws of destination countries, identify potential conflicts, and recommend appropriate supplementary measures.

What supplementary measures does GDPRLocal help implement?

When standard contractual clauses alone aren’t sufficient, we help implement technical and organisational safeguards tailored to your risk profile and business needs.

How does GDPRLocal support ongoing compliance monitoring?

Data protection laws evolve constantly. We track regulatory changes across multiple jurisdictions and update your transfer arrangements when new requirements emerge.

What staff training and documentation support is available?

We ensure your team understands their obligations under standard contractual clauses and maintain the electronic documents required for regulatory compliance.

How does GDPRLocal handle complex transfer scenarios?

For challenging destinations like China or transfers involving multiple jurisdictions, we coordinate compliance across different regulatory frameworks to ensure protection.

Conclusion

Standard contractual clauses provide a practical basis for international data transfers, but they’re just the starting point. The Schrems II ruling made it clear that thorough risk assessments and appropriate supplementary measures must accompany these agreements.

With the December 2022 deadline now passed, organisations using outdated agreements face immediate compliance risk. The regulatory framework continues evolving, making ongoing compliance monitoring necessary for any business engaged in cross-border data transfers.

The parties involved in data transfers all share responsibility for ensuring ongoing compliance with data protection principles. Unsure if your standard contractual clauses are compliant? Contact GDPRLocal for a complete assessment of your data transfer needs.

Frequently Asked Questions

Are old SCCs from before 2021 still valid for existing contracts?

No. Old EU SCCs became completely invalid in December 2022, even for existing contracts. Organisations must update to new SCCs or face compliance violations. The European Commission provided a transition period that has now expired.

When do I need to conduct a Transfer Impact Assessment?

You must conduct a transfer impact assessment for every transfer using standard contractual clauses. This applies regardless of the destination country and must be completed before the transfer begins. The assessment must be documented and regularly reviewed.

Do I need SCCs for transfers to countries with adequacy decisions?

No. Countries with adequacy decisions from your relevant data protection authority don’t require standard contractual clauses. However, verify that your specific transfer scenario falls within the scope of the adequacy decision, as some have limitations or conditions.

Ana Mishova

About the Author

Ana Mishova

Sales and Business Development Consultant — GDPRLocal

Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.