Standard Contractual Clauses (SCC) are pre-approved contractual templates adopted by the European Commission that provide appropriate data protection safeguards for personal data transferred from the EEA to third countries lacking an adequacy decision. They function as a legally binding mechanism under Article 46 of the GDPR, obligating both the data exporter and importer to uphold equivalent privacy standards.
Glossary
Standard Contractual Clauses (SCC)

What is Standard Contractual Clauses (SCC)?
Standard Contractual Clauses are pre-approved legal contract templates issued by the European Commission that provide adequate safeguards for data protection when transferring personal data out of the European Economic Area.
Following the Schrems II ruling, organizations relying on SCCs must conduct a Transfer Impact Assessment (TIA) to verify the destination country's laws do not impinge on the clauses' effectiveness. If gaps exist, supplementary technical measures—such as encryption or pseudonymization—must be implemented to ensure the data remains effectively protected in the recipient jurisdiction.
Key Features of Standard Contractual Clauses
Standard Contractual Clauses (SCCs) are pre-approved legal templates issued by the European Commission that provide adequate safeguards for data protection when transferring personal data out of the EEA. They function as a contractual bridge, binding the data exporter and importer to specific technical and organizational security measures.
Modular Architecture
The modernized 2021 SCCs utilize a modular design to cover diverse transfer scenarios, eliminating the need for separate sets of clauses. Parties select the module that corresponds to their specific roles.
- Module 1: Controller-to-Controller transfers
- Module 2: Controller-to-Processor transfers
- Module 3: Processor-to-Processor transfers
- Module 4: Processor-to-Controller transfers This structure ensures the contractual obligations are precisely tailored to the data processing relationship.
Mandatory Docking Clause
A docking clause is an integral, optional provision that allows new parties to accede to the existing SCCs throughout their lifecycle. This mechanism is critical for multiparty processing chains.
- Enables a new processor or sub-processor to join the contract without renegotiation.
- Preserves the original safeguards as the data supply chain evolves.
- Ensures continuous compliance when onboarding new service providers during a long-term data processing agreement.
Technical and Organizational Measures (TOMs)
Annex II of the SCCs requires a detailed description of the Technical and Organizational Measures (TOMs) the data importer implements. This annex transforms generic legal promises into verifiable security commitments.
- Pseudonymization and encryption of personal data
- Confidentiality, integrity, availability, and resilience of processing systems
- Incident response and disaster recovery procedures
- Regular testing and auditing of security effectiveness These measures are subject to audit by the exporter, providing a direct enforcement mechanism.
Transfer Impact Assessment Integration
Following the Schrems II ruling, the SCCs are no longer a standalone solution. Parties must conduct a Transfer Impact Assessment (TIA) before executing the clauses. The SCCs explicitly require the parties to warrant that they have no reason to believe the laws of the destination country prevent the importer from fulfilling its obligations.
- The TIA evaluates the rule of law and surveillance practices in the destination country.
- If the TIA identifies a conflict, supplementary measures (e.g., end-to-end encryption with importer-held keys) must be layered on top of the SCCs.
Third-Party Beneficiary Rights
The SCCs grant direct enforceable rights to data subjects, making them third-party beneficiaries to the contract. This mechanism bypasses the traditional privity of contract, allowing individuals to sue the data importer directly for breaches.
- A data subject can claim material or non-material damages from either the exporter or the importer.
- The importer bears the burden of proof to demonstrate it was not responsible for the damage.
- This creates a powerful private enforcement mechanism outside of regulatory action.
Sub-Processing Controls
The SCCs impose a strict prior authorization regime for engaging sub-processors. The data importer cannot delegate processing to a third party without the exporter's explicit consent.
- General Written Authorization: The exporter pre-approves a list of sub-processors, with the importer obligated to inform the exporter of any changes and provide an opportunity to object.
- Flow-Down Obligations: The importer must impose the same data protection obligations on the sub-processor via a written contract, creating a cascading chain of liability.
- If the sub-processor fails, the initial importer remains fully liable to the exporter.
Frequently Asked Questions
Clear, technical answers to the most common legal and architectural questions surrounding the use of Standard Contractual Clauses (SCCs) for cross-border data transfers under the GDPR.
Standard Contractual Clauses (SCCs) are pre-approved legal contract templates issued by the European Commission that provide adequate safeguards for data protection when transferring personal data out of the European Economic Area (EEA). They function as a transfer tool under Article 46 of the GDPR, creating binding contractual obligations between a data exporter (in the EEA) and a data importer (in a third country). The modern SCCs, adopted in June 2021, use a modular approach with four distinct modules covering Controller-to-Controller, Controller-to-Processor, Processor-to-Processor, and Processor-to-Controller transfers. By executing these clauses without modification, organizations create a legally enforceable framework that ensures the importer provides a level of protection essentially equivalent to the GDPR, even in jurisdictions lacking an adequacy decision.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Master the legal and technical mechanisms that operationalize Standard Contractual Clauses in cross-border data transfer architectures.
Transfer Impact Assessment (TIA)
A mandatory risk evaluation required before executing SCCs. Following the Schrems II ruling, exporters must assess whether the destination country's laws provide essentially equivalent protection to GDPR. The TIA documents surveillance risks, identifies supplementary measures, and proves the SCCs are effective in practice—not just on paper.
Binding Corporate Rules (BCR)
Legally binding internal data protection policies for multinational corporate groups. Unlike SCCs—which govern specific controller-to-processor relationships—BCRs authorize intra-organizational transfers across a corporate group to countries without an adequacy decision. Requires approval from a lead supervisory authority and covers all group entities.
Adequacy Decision
A formal European Commission declaration that a non-EU country provides essentially equivalent data protection to the GDPR. When an adequacy decision exists, data flows freely without SCCs or additional safeguards. As of 2024, countries with adequacy include Japan, the UK, South Korea, and Switzerland.
Data Processing Agreement (DPA)
The legally binding contract between a data controller and a data processor that sits alongside SCCs. The DPA specifies:
- Scope and purpose of processing
- Duration of data handling
- Technical and organizational security measures
- Sub-processor authorization rules SCCs provide the transfer mechanism; the DPA defines the operational relationship.
Supplementary Measures
Technical, contractual, and organizational safeguards layered on top of SCCs when the TIA reveals gaps in destination-country protections. Examples include:
- End-to-end encryption with keys held exclusively by the exporter
- Pseudonymization rendering data unintelligible
- Confidential computing enclaves preventing foreign administrative access Without effective supplementary measures, SCC-based transfers may be unlawful.
Cross-Border Transfer
Any movement of personal data from the European Economic Area (EEA) to a third country. SCCs are the most widely used Article 46 GDPR transfer tool for legitimizing these flows. The 2021 modernized SCCs introduced a modular approach covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us