What is an SCC (standard contractual clause)?

The GDPR also specifies that where the controller or processor is located in the EU, contractual terms which provide adequate data protection measures can be relied upon for transfers to third countries.

This includes SCCs, also known as model contract clauses, which are guaranteed by the European Commission as satisfactory for fulfilling the protection of data.

SCCs are also among the guarantees provided for in Article 46 of the GDPR for international data transfer. Their formatted structure allows them to be easily employed by organizations as part of contract documentation which then provide legally enforceable obligations for both parties, the data exporter and importer.  

There are distinct sets of SCCs for different transfer contexts including controller-to-controller, controller-to-processor, and processor-to-processor.

In most cases, SCCs contain provisions for data exporters and importers’ responsibilities, data subject’s rights, and limitations, indemnification and liability, dispute resolution, and cooperation with supervisory authorities.

However, after the Schrems II decision, in addition to SCCs, other measures may be required also in the case of transfer of data to countries that provide their surveillance authorities with access to data transferred by organizations.

SCCs are, however, widely accepted especially where transfers are made to countries that are not yet considered adequate by the EU, they do not relieve organizations of other obligations under the GDPR. 

There is still a need for organizations to observe general GDPR compliance in activities involving collection and use of data. To avoid the coming across of the sender’s data in the wrong hands, it is important to evaluate the data protection standards of the recipient country and put in place other protective measures if needed, before using SCCs.