Standard Contractual Clauses (SCCs)

Standard Contractual Clauses (SCCs) are pre-approved contract templates that authorise the transfer of personal data from the European Union or United Kingdom to countries that lack an adequacy decision from the European Commission. They were created by the European Commission under Article 46(2)(c) of the GDPR and constitute the most widely-used legal mechanism for cross-border data transfers. The current (June 2021) SCCs replaced the older 2001/2004/2010 sets following the Court of Justice of the European Union’s Schrems II decision in July 2020, which invalidated the EU-US Privacy Shield and required substantive supplementary measures to accompany contractual transfer mechanisms.

The new SCCs are structured as a single document with four modules covering different transfer relationships: controller-to-controller (Module 1), controller-to-processor (Module 2), processor-to-processor (Module 3), and processor-to-controller (Module 4). The parties select the applicable module based on their relationship, execute the clauses as a binding contract, and supplement them with a Transfer Impact Assessment documenting why the SCCs are effective for the specific transfer route. The combination of executed SCCs plus documented TIA is the standard legal basis for transfers to non-adequate countries.

For international employers, SCCs sit at the centre of HR data compliance whenever employee personal data flows from EU/UK to non-EU group companies, service providers, or sub-processors. The most common SCC scenarios are intra-group transfers to a US-based parent, transfers to non-EU SaaS HR providers (Workday, SuccessFactors, BambooHR), transfers to non-EU background check services, transfers to non-EU benefits administrators, and transfers to non-EU assignee tax processors. This guide covers what the SCCs are, the four modules and which to use, the UK equivalents (the International Data Transfer Agreement and Addendum), the relationship with the Transfer Impact Assessment (TIA), common compliance failures, and how the SCCs interact with the EU-US Data Privacy Framework. Source guidance includes the European Commission SCCs page, the UK ICO international transfers guidance, and the European Data Protection Board.

Standard Contractual Clauses are required whenever personal data is transferred from the EU or UK to a country that lacks an adequacy decision, unless an alternative Article 46 mechanism (Binding Corporate Rules, codes of conduct, certification schemes) or an Article 49 derogation applies. The SCCs are the dominant mechanism in practice because they require no supervisory authority approval and are operationally faster to deploy than BCRs.

The SCCs must be executed before the transfer begins. Retrospective execution after data has already flowed creates legal exposure: the period between transfer commencement and SCC signature is technically unlawful processing under GDPR Article 44, and the controller cannot rely on the SCCs to retroactively legitimise it. This is one of the most common audit findings during supervisory authority reviews.

The SCCs are required regardless of data volume or sensitivity. Even a single transfer of one employee’s personal data to a non-adequate country triggers the obligation. The mechanism scales from small transfers (a handful of employee records) to enterprise-scale transfers (entire global HR systems containing thousands of employee records), with the same legal framework applying throughout.

Adequacy decisions eliminate the SCC requirement for transfers to listed countries. As of May 2026, the adequacy list includes the United Kingdom (post-Brexit, granted 2021 and renewed 2025), Switzerland, Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, the Republic of Korea, Uruguay, and the United States (under the EU-US Data Privacy Framework, for certified organisations only, in force since July 2023). Transfers to all other destinations require SCCs (or another Article 46 mechanism).

The June 2021 SCCs are a single document with four selectable modules, each governing a specific relationship type between the data exporter and data importer. Selecting the wrong module is a common compliance failure because the obligations differ materially across modules.

Module 2 (controller to processor) is by far the most common in HR data contexts. Most multinational employers acting as the EU controller engage non-EU service providers (HR systems, payroll, benefits, background checks) acting as processors, making Module 2 the operational default. Module 3 becomes relevant when the EU controller’s primary processor uses non-EU sub-processors, which is increasingly common with cloud-based service stacks.

Module 1 (controller to controller) applies when group companies in different jurisdictions independently determine processing purposes for the same employee data, which is less common but does arise in matrix organisations where HR data feeds both home-country HR and host-country tax compliance functions independently.

Module 4 (processor to controller) is the least common in HR contexts but applies when an EU-based service provider (for instance, an EU payroll bureau) returns processed data to a non-EU client controller.

The United Kingdom adopted its own version of the SCCs following Brexit. The UK regime offers two routes for compliant transfers from the UK to non-adequate countries: the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU SCCs.

The International Data Transfer Agreement (IDTA) is the UK’s standalone document, in force since March 2022. It is structurally similar to the EU SCCs but adapted to the UK GDPR framework. The IDTA is used where the parties want a UK-only document without reference to the EU framework. It is the operational default for transfers from the UK to non-adequate countries where the EU SCCs are not also in play.

The International Data Transfer Addendum is a short document that incorporates the EU SCCs into the UK regime by reference. It is used where the parties have already executed the EU SCCs (typically for a transfer involving both EU and UK exporters) and want to extend coverage to the UK GDPR. The Addendum is shorter than the IDTA because it leverages the EU SCC text rather than restating it.

For multinational employers operating across both the EU and UK, the practical choice is usually: (1) where both EU and UK data are being transferred, execute the EU SCCs plus the UK Addendum; (2) where only UK data is being transferred, execute the IDTA directly. Both routes provide an equivalent level of UK GDPR compliance, but the documentation overhead differs.

The UK ICO’s 2022 transition period for migrating from the old EU SCCs to the new UK regime ended 21 March 2024. Transfers still relying on the old (2001/2004/2010) EU SCCs are no longer compliant under UK GDPR and must be migrated to the IDTA or the EU SCCs plus UK Addendum.

The new SCCs require the parties to assess and document the risks of the specific transfer. This is the obligation that triggers the Transfer Impact Assessment (TIA). Without a TIA, the SCCs alone may not be sufficient legal basis for the transfer, particularly to high-risk destination countries.

The Schrems II decision (Case C-311/18, July 2020) established that contractual mechanisms like the SCCs are only effective if the destination country’s law does not undermine them. The decision invalidated the EU-US Privacy Shield specifically because US surveillance laws (FISA Section 702, Executive Order 12333) were found to undermine equivalent protection. The implication is that SCCs cannot be relied upon mechanically: each transfer requires a substantive assessment of whether the destination country’s legal framework allows the SCCs to operate as intended.

For practical operational purposes, the deployment of SCCs typically requires three documents in combination: the executed SCCs themselves (the contract); a Transfer Impact Assessment (the substantive analysis); and a register of supplementary measures (the technical, contractual, and organisational instruments addressing identified gaps). Supervisory authorities increasingly expect to see all three during audits of cross-border transfer arrangements.

For deeper coverage of the assessment mechanics, see our Transfer Impact Assessment glossary entry, which details the EDPB six-step framework, country risk profiles, and supplementary measures.

The July 2023 EU-US Data Privacy Framework (DPF) provides an adequacy pathway for transfers to participating US organisations, eliminating the need for SCCs and the accompanying Transfer Impact Assessment for transfers within the framework’s scope. Understanding the framework’s scope and limits is essential for international employers managing transfers to US-headquartered service providers.

The DPF works through self-certification: US organisations voluntarily certify their compliance with a set of DPF principles, with certification published on the US Department of Commerce’s DPF list. Once certified, transfers from the EU to that organisation can rely on the adequacy decision without further SCCs or TIA. The framework is administered by the US Federal Trade Commission and the Department of Transportation, with the right of EU data subjects to lodge complaints with a US Data Protection Review Court.

Three important caveats apply. First, the DPF covers only certified entities; transfers to non-certified US importers still require SCCs plus TIA. Second, certification covers only the data categories specified in the organisation’s certification; transfers of out-of-scope data still require SCCs. Third, the DPF adequacy decision is subject to ongoing legal challenge (similar to the challenges that brought down Safe Harbour in 2015 and Privacy Shield in 2020), so prudent controllers maintain SCC + TIA documentation as a fall-back position even when relying on the DPF.

For HR data specifically, the practical implication is that controllers transferring to a US-headquartered HR system should: (a) verify the importer’s current DPF certification status (publicly searchable on the DPF list); (b) confirm the certification covers the relevant data categories (HR data specifically); (c) document the verification with a date; (d) maintain SCC + TIA documentation as a fall-back; (e) reassess at least annually given the ongoing legal challenges.

Executing the SCCs in practice involves several specific steps. The contract is binding once signed by both parties, but several procedural elements must be completed for the SCCs to operate effectively.

1. Identify the parties and roles. Confirm which entity is the data exporter (EU/UK controller or processor) and which is the data importer (non-EU recipient). For each, identify whether they are acting as a controller or processor for the specific data being transferred. This determines module selection.

2. Select the applicable module. Based on the controller/processor classification of each party, select Module 1, 2, 3, or 4. Where multiple data flows exist (controller-to-controller for some data, controller-to-processor for other data), separate SCCs may be required for each data flow.

3. Complete the Annexes. The SCCs include four annexes that the parties must complete with specific information: Annex I (parties, processing details, competent supervisory authority, data subjects, data categories, special categories, purposes, recipients, retention); Annex II (technical and organisational measures); Annex III (list of sub-processors, where Module 2 or 3 applies); and (for Module 1 or 4) details on the specific information the data importer must communicate to data subjects.

4. Conduct and document the Transfer Impact Assessment. Before signing, complete the EDPB six-step TIA framework, identifying any supplementary measures needed for the specific transfer route.

5. Implement supplementary measures. Deploy the technical, contractual, and organisational measures identified in the TIA. Document the implementation.

6. Execute the SCCs. Both parties sign the SCCs as a binding contract. Some Member State supervisory authorities require notification or filing for specific transfer types (rare for standard HR transfers but applicable for transfers involving large data sets or special category data).

7. Maintain the documentation. Retain the signed SCCs, completed Annexes, the TIA, the supplementary measures register, and any DPF certification verification. Supervisory authorities can request all of this during an audit; missing documentation is an enforcement trigger.

8. Review and update. Reassess the arrangement annually or upon material change. New sub-processors require updates to Annex III. Changes in destination country law require TIA reassessment. New EDPB guidance may require supplementary measures upgrades.

Several common SCC compliance failures recur across international employers. Each can result in supervisory authority enforcement under GDPR Article 83(5), with fines up to €20 million or 4 percent of global revenue, plus suspension of the transfer.

1. Relying on the old (2001/2004/2010) SCCs. The new (June 2021) SCCs replaced the older sets, and the transition periods for both EU and UK regimes have ended. Transfers still relying on the old SCCs are no longer compliant. Audit your transfer documentation for the SCC version in use.

2. Executing the SCCs without completing the Annexes. The Annexes are the operationally specific portion of the SCCs and must be completed in detail. Empty or generic Annexes (for example, “all employee data” rather than specific data categories) fail supervisory authority scrutiny.

3. Selecting the wrong module. Module selection determines the operational obligations. A controller-to-controller relationship documented as Module 2 (controller-to-processor) misrepresents the relationship and weakens data subject protections.

4. Executing the SCCs without a TIA. Schrems II established that SCCs alone are not sufficient where destination country law undermines them. A TIA must accompany the SCCs to document the assessment of effectiveness.

5. Assuming the EU-US DPF eliminates the SCC requirement entirely. The DPF covers only certified US importers. Many US importers (smaller service providers, US sub-processors of larger platforms) are not DPF-certified. SCCs are still required for these transfers.

6. Forgetting the sub-processor chain. Module 2 requires the controller to authorise sub-processors and maintain a current list in Annex III. The sub-processor chain may include parties (US data centres, US support staff, US backup services) that the controller has not explicitly authorised. Audit the importer’s full sub-processor chain.

7. Failing to migrate UK transfers to the IDTA or Addendum. Following Brexit, UK transfers require the IDTA or the EU SCCs plus UK Addendum. Many controllers documented EU SCCs only and overlooked the UK GDPR coverage. The UK transition period ended 21 March 2024.

8. Not maintaining annual review and update cycles. The SCCs and accompanying TIA should be reviewed annually or upon material change. Destination country law evolves, sub-processor chains change, and EDPB guidance updates. Static SCCs from year one rarely remain compliant in year three without review.

The SCCs sit within a broader set of GDPR cross-border data transfer concepts. Understanding the relationships helps controllers structure compliant transfer arrangements.

Transfer Impact Assessment (TIA) is the documented analysis that must accompany the SCCs, assessing whether the destination country’s legal framework allows the SCCs to operate effectively. SCCs without a TIA are not sufficient under Schrems II.

Schrems II is the July 2020 Court of Justice of the European Union decision (Case C-311/18) that invalidated the EU-US Privacy Shield and established the substantive assessment requirement. The decision is the operational basis for the SCC + TIA framework.

Binding Corporate Rules (BCRs) are an alternative Article 46 mechanism for intra-group transfers across multinationals. BCRs require supervisory authority approval but provide a single mechanism covering all group entities, avoiding the need for separate SCCs across each transfer route.

EU-US Data Privacy Framework is the 2023 adequacy mechanism for transfers to participating US organisations, eliminating the SCC + TIA requirement for transfers within the framework’s scope.

Adequacy Decision is the European Commission’s formal determination that a non-EU country provides essentially equivalent data protection, eliminating the SCC requirement for transfers to the listed country. As of May 2026 the adequacy list includes the UK, Switzerland, Japan, South Korea, Israel, Argentina, Uruguay, New Zealand, and several others.

Information in this glossary entry is current as of May 2026 and reflects the European Commission Implementing Decision 2021/914 on Standard Contractual Clauses (June 2021), the UK International Data Transfer Agreement and UK Addendum (March 2022), the Court of Justice of the European Union decision in Case C-311/18 (Schrems II), EDPB Recommendations 01/2020 on supplementary measures, the July 2023 EU-US Data Privacy Framework adequacy decision, and UK ICO international transfers guidance. Frameworks evolve continuously and adequacy decisions remain subject to legal challenge. This guide is for informational purposes only and does not constitute legal or compliance advice. Controllers should engage qualified privacy counsel for jurisdiction-specific SCC implementation and supervisory authority correspondence.