Standard Contractual Clauses are model contract terms published by the European Commission that, when signed unmodified between an EU exporter and a non-EU importer, provide a lawful basis for transferring personal data outside the EEA under GDPR Article 46.
The current version was adopted in June 2021, replacing the earlier 2001/2004/2010 sets. The 2021 SCCs are modular, with four configurations:
- Module 1: controller to controller.
- Module 2: controller to processor.
- Module 3: processor to processor.
- Module 4: processor to controller.
Vendors typically incorporate the relevant module by reference into their DPA, and most attach the SCCs as an appendix.
SCCs alone aren't enough
The 2020 Schrems II judgment made clear that signing SCCs is necessary but not sufficient. The exporter must also assess whether the law of the importing country provides essentially equivalent protection — and if not, supplement the SCCs with additional measures (encryption, pseudonymisation, contractual commitments). This assessment is the Transfer Impact Assessment (TIA).
In practice this means: SCCs + TIA + supplementary measures, where the third element depends on what the TIA found.
Where they show up in vendor monitoring
Three things to watch:
- The SCC version. Vendors had until December 2022 to migrate from the old SCCs to the 2021 version. Anyone still on the old set is non-compliant.
- The module. Make sure the module matches the actual relationship — controller-to-processor when you're hiring them as a processor, processor-to-processor when they're using a sub-processor.
- Annexes. SCCs include annexes for the description of processing, list of subprocessors, and security measures. These annexes change as the vendor's stack changes; treat them with the same monitoring discipline as the main DPA.