Standard Contractual Clauses (SCCs)

Standard Contractual Clauses are EU-approved template contracts for transferring personal data outside the EEA when no adequacy decision applies.

What are SCCs?

Standard Contractual Clauses (SCCs) are template contract clauses adopted by the European Commission that organisations can use to lawfully transfer personal data from the EEA to a "third country" (a country outside the EEA without an EU adequacy decision). The current SCCs were adopted June 2021 and replaced the 2010 set; they cover four transfer modules — controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller — and must be selected to match the actual data flow.

SCCs after Schrems II

Schrems II (CJEU C-311/18, July 2020) did not invalidate SCCs but required organisations using them to perform a Transfer Impact Assessment (TIA). The TIA evaluates whether the destination jurisdiction's surveillance laws fall short of EU adequacy and, where they do, what supplementary technical or organizational measures (encryption, pseudonymisation, contractual commitments not to comply with overbroad orders) close the gap. A TIA is real documentation, not a checkbox, and is typically required by EU enterprise procurement before signing.

SCCs for AI procurement

If an AI vendor processes EU personal data through U.S.-based upstream model APIs, the EU controller needs SCCs in place at every link of the chain — vendor to upstream lab, vendor to controller. The flow-down is critical: each sub-processor must commit to the same standard. Most mature AI vendors publish their EU SCCs as part of the DPA template; ask if you don't see them, and verify the module selection matches your data flow.