If we are a Data Processor and the in-scope data is already outside the EU, do we still need an SCC in place?

Yes, even if you are a Data Processor and the in-scope data is already outside the EU, you will likely still need Standard Contractual Clauses (SCCs) in place under GDPR if personal data is transferred from the EU to a non-EU country.

Here’s why:

1. GDPR applies to EU data subjects’ personal data, regardless of where the data is processed or stored. If you’re processing or handling data from the EU, you must comply with GDPR rules.
2. SCCs are a mechanism to ensure GDPR compliance when transferring personal data outside the EU or EEA, particularly to countries that are not deemed to have adequate data protection laws by the European Commission.
3. Even if the data is already outside the EU, if you’re processing it on behalf of an EU-based Data Controller, you must ensure the data transfer meets GDPR requirements, which usually includes SCCs unless another lawful transfer mechanism is in place (e.g., an adequacy decision).