FAQ
FAQ’s
What is an SCC (standard contractual clause)?

What is an SCC (standard contractual clause)?

The GDPR also specifies that where the controller or processor is located in the EU, contractual terms which provide adequate data protection measures can be relied upon for transfers to third countries.

This includes SCCs, also known as model contract clauses, which are guaranteed by the European Commission as satisfactory for fulfilling the protection of data.

SCCs are also among the guarantees provided for in Article 46 of the GDPR for international data transfer. Their formatted structure allows them to be easily employed by organizations as part of contract documentation which then provide legally enforceable obligations for both parties, the data exporter and importer.  

There are distinct sets of SCCs for different transfer contexts including controller-to-controller, controller-to-processor, and processor-to-processor.

In most cases, SCCs contain provisions for data exporters and importers’ responsibilities, data subject’s rights, and limitations, indemnification and liability, dispute resolution, and cooperation with supervisory authorities.

However, after the Schrems II decision, in addition to SCCs, other measures may be required also in the case of transfer of data to countries that provide their surveillance authorities with access to data transferred by organizations.

SCCs are, however, widely accepted especially where transfers are made to countries that are not yet considered adequate by the EU, they do not relieve organizations of other obligations under the GDPR. 

There is still a need for organizations to observe general GDPR compliance in activities involving collection and use of data. To avoid the coming across of the sender’s data in the wrong hands, it is important to evaluate the data protection standards of the recipient country and put in place other protective measures if needed, before using SCCs.

Was this article helpful?

How can we improve this article?

Related questions

  • How is the HITRUST assessment process conducted?
  • What is HITRUST Compliance and Regulatory Mapping?
  • How do workflow checks work in Sprinto?
  • Does Sprinto help handle the Objection on CRM as a Critical System?
  • With respect to the services they should choose, do they need to have the combo of both EU and UK services or only EU services should be good? Context: They have opted for GDPR and not UK GDPR.
  • What is the difference between an EU Representative and a DPO? What is their requirement under GDPR?
  • Do companies need a lawyer to draft their agreements for GDPR?
  • Is having an EU/UK representative mandatory under GDPR?
  • Why don’t we cover all the TSCs?
  • Do we support HITRUST certification? What is the audit price?

Get SOC 2 compliance
ready in 4 weeks!

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.