FAQ
FAQ’s
If we are a Data Processor and the in-scope data is already outside the EU, do we still need an SCC in place?

If we are a Data Processor and the in-scope data is already outside the EU, do we still need an SCC in place?

Yes, even if you are a Data Processor and the in-scope data is already outside the EU, you will likely still need Standard Contractual Clauses (SCCs) in place under GDPR if personal data is transferred from the EU to a non-EU country.

Here’s why:

  1. GDPR applies to EU data subjects’ personal data, regardless of where the data is processed or stored. If you’re processing or handling data from the EU, you must comply with GDPR rules.
  2. SCCs are a mechanism to ensure GDPR compliance when transferring personal data outside the EU or EEA, particularly to countries that are not deemed to have adequate data protection laws by the European Commission.
  3. Even if the data is already outside the EU, if you’re processing it on behalf of an EU-based Data Controller, you must ensure the data transfer meets GDPR requirements, which usually includes SCCs unless another lawful transfer mechanism is in place (e.g., an adequacy decision).

Was this article helpful?

How can we improve this article?

Related questions

  • Which is the latest version of the PCI DSS compliance?
  • What is the current version of ISO 27001?
  • What is PCI DSS compliance verification?
  • What are PCI DSS compliance milestones?
  • What are the three steps of PCI compliance?
  • What are the functions of PCI?
  • How often must PCI DSS compliance be validated?
  • What is required for PCI DSS compliance?
  • How to reduce PCI DSS cost?
  • Does ISO 27001 require MFA?

Found this useful?

Get SOC 2 compliance
ready in 4 weeks!

Try Sprinto

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Contact sales