← Glossary·Privacy

Standard Contractual Clauses (SCCs)

GDPR

EU Commission-approved clauses providing a lawful basis for personal-data transfers outside the EEA.

Standard Contractual Clauses are pre-approved data-transfer contracts (2021 modular form) used to legitimise transfers of personal data from the EEA to a third country lacking an adequacy decision. The UK has its own International Data Transfer Agreement (IDTA) and Addendum.

Why it matters
Post-Schrems II, SCCs alone are not enough — controllers must perform a Transfer Impact Assessment (TIA) and apply supplementary measures (typically encryption) where target-country laws fail the equivalent-protection test.

Related terms

Schrems II
2020 CJEU ruling invalidating Privacy Shield and requiring case-by-case TIA for EU→US data transfers.
GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.
Data Processing Agreement (DPA)
Contract between a controller and processor codifying GDPR Art. 28 obligations.

Does your program actually cover Standard Contractual Clauses (SCCs)?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary