Standard Contractual Clauses (SCCs) are a legal mechanism established by the European Commission to facilitate international data transfers while ensuring compliance with the General Data Protection Regulation (GDPR). SCCs provide pre-approved contractual terms that organizations can use when transferring personal data from the EU/EEA to third countries that lack an adequacy decision. These clauses impose binding obligations on both data exporters and importers, requiring them to implement appropriate safeguards to protect personal data. The modernized SCCs, introduced in June 2021, adopt a modular approach, allowing flexibility for different transfer scenarios while reinforcing data protection principles.
Module 1
Module 1 of the Standard Contractual Clauses (SCCs) under GDPR applies to data transfers between controllers—where both the data exporter and data importer act as controllers with independent decision-making authority. This module ensures that personal data is processed in compliance with GDPR principles, requiring both parties to uphold transparency, accountability, and security obligations. It mandates that the data importer provides safeguards equivalent to those in the EU, including respecting data subject rights, implementing security measures, and ensuring lawful processing. Additionally, the module includes provisions for third-party beneficiary rights, allowing data subjects to enforce protections directly against the importer.
Module 2
Module 2 of the Standard Contractual Clauses (SCCs) under GDPR applies to data transfers between controllers and processors, ensuring that personal data is processed and transferred across international borders in compliance with GDPR requirements.
Module 3
Module 3 of the Standard Contractual Clauses (SCCs) under GDPR applies to data transfers between processors and subprocessors, ensuring that personal data is processed and transferred across international borders in compliance with GDPR requirements.
Module 4
Module 4 of the SCCs applies to data transfers from processors under GDPR to controllers outside of the boundaries of GDPR for one reason or another, ensuring that personal data is handled in compliance with GDPR principles.
Processing Descriptions
In the same way that Article 28(3) of GDPR requires the controller and processor to set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller, the SCCs also contain a section to allow the parties to describe the personal data transfers that will happen between the parties. Some drafters to choose to provide largely general details, and others choose to include quite specific details.
Technical and Organizational Measures
Annex II of the SCCs calls for the parties to list the technical and organizational measures which are agreed, and provides the following list of example topics to set forth:
[Examples of possible measures:
Measures of pseudonymisation and encryption of personal data
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Measures for user identification and authorisation
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring physical security of locations at which personal data are processed
Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimisation
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure]
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter]
Subprocessor Lists
The parties to a DPA often set forth the list of subprocessors as part of Annex III of the SCCs, although the explanatory note to Annex 3 indicates only that they must be completed when selecting Clause 9(a), Option 1 in connection with Modules Two and Three.
UK Addendum
A UK Addendum is added to the Standard Contractual Clauses (SCCs) to ensure compliance with UK GDPR following the country’s departure from the European Union. Since the EU SCCs were designed for data transfers under EU GDPR, they do not automatically align with UK-specific legal requirements. The UK Addendum, introduced by the Information Commissioner’s Office (ICO), modifies the SCCs to reflect UK data protection laws while maintaining consistency with international transfer mechanisms. This allows organizations to continue transferring personal data from the UK to non-adequate countries while meeting the necessary safeguards required under UK law.
Swiss Addendum
A Swiss Addendum is added to the Standard Contractual Clauses (SCCs) to ensure compliance with Swiss data protection laws, particularly the Federal Act on Data Protection (FADP). Since the EU SCCs were designed for transfers under EU GDPR, they do not automatically align with Swiss-specific legal requirements. The Swiss Federal Data Protection and Information Commissioner (FDPIC) recognizes the EU SCCs as a valid mechanism for international data transfers but requires modifications to reflect Swiss law. The Swiss Addendum ensures that personal data transferred from Switzerland to non-adequate countries meets the necessary safeguards under Swiss regulations, maintaining consistency with international privacy standards.