Customizing SCCs for SaaS Companies

Managing cross-border data transfers is a challenge for SaaS companies under GDPR. Standard Contractual Clauses (SCCs) help ensure compliance when moving personal data outside the EU/EEA. But they’re not “one-size-fits-all.” SaaS businesses must tailor SCCs to fit their specific data handling, security practices, and legal obligations.

Here’s a quick summary of what you need to know:

• SCCs are mandatory for transferring EU personal data to countries without adequacy decisions (e.g., U.S., China).
• Modules matter: Choose the right SCC module based on your data transfer relationships (e.g., Controller-to-Processor or Processor-to-Processor).
• Annexes must be detailed: Clearly describe your data flows, security measures (e.g., encryption, audits), and sub-processors.
• Transfer Impact Assessments (TIAs): Evaluate the destination country’s laws to identify risks and apply safeguards like encryption with EU-held keys.
• Integration with contracts: Embed SCCs into your Data Processing Addendums (DPAs) or Master Service Agreements (MSAs) while ensuring compliance with GDPR requirements.

Ignoring SCC compliance can lead to hefty fines, as seen with Uber’s €290M penalty in 2024. By customizing SCCs and staying vigilant with regulatory changes, SaaS companies can avoid disruptions and maintain trust with customers.

Standard Contractual Clauses (SCC) - What Are They? - Data Transfers

sbb-itb-5f36581

Key Areas to Customize in SCCs for SaaS Companies

SaaS companies need to adjust Standard Contractual Clauses (SCCs) to align with their specific data handling and security practices. While SCCs are pre-approved templates, they’re not plug-and-play documents. The European Commission designed them to be modified, requiring SaaS businesses to adapt certain sections to reflect their actual operations. IT lawyer Irene Bodle explains:

"The new SCCs are no longer a 'standard template' which can be added unaltered... The new SCCs must be substantially customised by adapting and removing any modules that do not apply."

Key areas for customization include selecting the appropriate module, tailoring annexes, and implementing additional safeguards when necessary.

Understanding SCC Modules

SaaS companies must choose the module that matches their data transfer relationships. Most commonly, they rely on Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor).

For example, Module 2 applies when an EU-based customer subscribes to your SaaS platform. Module 3 is relevant when you, as the SaaS provider, rely on non-EEA infrastructure like AWS or Azure. Many SaaS businesses use both modules: one for customer relationships and another for sub-processor arrangements.

Including the docking clause (Clause 7) is a smart move. It allows new entities - like subsidiaries or additional sub-processors - to join the SCCs by signing the annexes. This eliminates the need to renegotiate the entire agreement, saving time as your company grows.

Customizing Annexes for SaaS Use Cases

Annexes are where you turn a generic SCC into a tailored agreement.

• Annex I: Describe your data flows. Specify the types of personal data (e.g., login credentials, customer-uploaded files), categories of data subjects (end-users, employees), and retention periods.
• Annex II: Detail your security measures. Avoid vague terms like "appropriate security measures." Instead, list SaaS-specific protections such as AES-256 encryption for data at rest, TLS 1.3 for data in transit, SOC 2 Type II certification, and regular penetration testing. Proskauer Rose LLP emphasizes:

"Annex II requires that a detailed description of the technical and organisational measures implemented is set out for each of the modules."

• Annex III: Relevant for Modules 2 and 3, this annex requires a list of sub-processors or a defined authorization process. Include providers like AWS, Google Cloud, and analytics platforms. Specify a notice period (commonly 30 days) for adding new sub-processors.

Adding Extra Safeguards for Cross-Border Transfers

When transferring data outside the EEA, some scenarios may require supplementary safeguards, especially if your Transfer Impact Assessment (TIA) identifies risks like U.S. surveillance laws under FISA 702.

Technical safeguards are particularly critical. Use encryption where keys remain in the EEA, pseudonymization with separate key storage, or split processing to keep sensitive data elements within the EEA. Organizational safeguards include publishing transparency reports on government data requests and training staff on data protection protocols. Contractual safeguards can ensure the data exporter is notified of government access requests (when legally allowed) and that unlawful requests are challenged.

Keep detailed records. Regulators may request your TIA and evidence of the safeguards you’ve implemented. Maintain a thorough transfer register documenting all non-EEA transfers, the data types involved, their purposes, and the safeguards applied.

These adjustments ensure that SCCs are not only compliant but also aligned with your SaaS business’s operational needs.

Integrating SCCs with SaaS Contracts

To ensure smooth integration, SCCs (Standard Contractual Clauses) must align seamlessly with your existing legal agreements. Most SaaS companies incorporate these clauses into Data Processing Addendums (DPAs) or Master Service Agreements (MSAs). The European Commission permits this approach, as long as the SCCs remain unaltered and take precedence over any conflicting terms. They’ve clarified that SCCs can be part of a broader agreement, provided nothing in the contract contradicts or undermines the rights of data subjects under the SCCs. This flexibility allows businesses to maintain consistency across agreements while prioritizing compliance.

Aligning SCCs with DPAs

Once tailored, SCCs should be embedded into your contractual framework. The updated 2021 SCCs already address all mandatory GDPR Article 28 requirements for Controller-to-Processor and Processor-to-Processor relationships. IT lawyer Irene Bodle highlights this advantage:

"The new SCCs include all of the provisions that must be included in a written data processing agreement under Article 28 of the GDPR. This means that the new SCCs can be used without the need for any additional DPA."

This might eliminate the need for a standalone DPA in some cases. However, maintaining a comprehensive DPA still makes sense. Why? It allows you to isolate the stricter SCC provisions for EU personal data transfers while using the broader DPA to cover other data types. Additionally, transfers involving UK personal data require the UK International Data Transfer Agreement (IDTA) or the UK Addendum alongside the EU SCCs.

Another critical area to address is potential conflicts between SCCs' joint liability terms and the limited liability clauses often found in MSAs. SCCs impose joint and several liability for breaches, which cannot be overridden by blanket liability exclusions in your MSA. Clause 12(a) of the SCCs explicitly prohibits such exclusions. To avoid ambiguity, specify clear notification windows in your DPA. While SCCs require breach notifications "without undue delay", defining a timeframe - such as 72 hours - can help align compliance with operational realities.

Once your DPAs are aligned, the focus shifts to balancing regulatory requirements with practical business needs.

Balancing Compliance with Business Requirements

Regulatory compliance doesn’t have to slow down your business. The key is to meet legal obligations without compromising operational efficiency.

For instance, using the docking clause (Clause 7) can simplify adding new affiliates or sub-processors. This allows you to onboard new entities without renegotiating your entire MSA or DPA, saving both time and resources as your SaaS platform grows.

When detailing security measures in Annex II, be precise and realistic. Overpromising on security controls can backfire if you can’t consistently deliver on them. For example, strict login IP restrictions may enhance security but could unintentionally block mobile users who need flexible access. Strike a balance that satisfies regulatory expectations while keeping your service functional.

Don’t forget to update your privacy policy to reflect all international SCC transfers. Transparency strengthens trust and ensures compliance. If you’re using Module 3 for sub-processors, consider including a notice period (e.g., 30 days) in Annex III. This gives customers adequate time to review and object to new providers, if necessary.

Steps to Implement Customized SCCs

Once your SCCs are aligned with your contracts, the next step is implementation. This process involves careful planning, ongoing monitoring, and staying flexible as regulations evolve.

Conducting Transfer Impact Assessments (TIAs)

Before applying SCCs, it's critical to assess whether the destination country's laws might prevent your data importer from complying. This is done through a Transfer Impact Assessment (TIA), which is required for any non-EEA transfer. As Carina Schalhofer from Priviq highlights:

"Simply signing the new SCCs is insufficient to render a transfer valid. Instead, the clauses demand the parties to assess whether the country of destination's level of data protection is essentially equivalent to EU standards by conducting a Transfer Impact Assessment (TIA)."

Start by creating a transfer register that maps out data types, processing purposes, recipient locations, and party roles. This will help you identify which transfers need TIAs and determine the applicable SCC module. For instance:

• If you're an EEA-based customer working with a non-EEA SaaS platform, you'll use Module 2 (Controller-to-Processor).
• If you're a SaaS provider using a third-country cloud host, you'll need Module 3 (Processor-to-Processor).

Your TIA should focus on whether the laws in the third country - such as the US FISA 702 or the UK Investigatory Powers Act - allow government access that exceeds what is "necessary and proportionate in a democratic society". Between 2023 and 2024, EU Data Protection Authorities issued 127 corrective actions related to international data transfers, often citing inadequate TIAs as the main issue. Be sure to document your findings thoroughly and have them certified by senior management.

If risks are identified during the TIA, implement supplementary measures. Technical safeguards like encryption with EU-held keys are particularly effective, as they provide protection against surveillance laws. Organizations that combine structured TIA processes with customer-managed encryption have seen a 60% drop in findings during DPA examinations. Use Hardware Security Modules within the EU to generate and store encryption keys, ensuring data is encrypted before leaving EU jurisdiction.

Once your TIAs are finalized and risks are addressed, integrate these insights into your overall compliance framework.

Ensuring Legal and Operational Compliance

Complete Annex I (detailing the parties and data) and Annex II (technical and organizational measures) with specifics like AES-256 encryption. Schedule quarterly audits to quickly identify and resolve compliance gaps. Modern data management requires ongoing monitoring rather than static documentation. As one European Data Protection Board member stated:

"Modern data ecosystems demand dynamic protections rather than static paperwork."

Provide role-specific training for employees so they can recognize high-risk transfer scenarios. This ensures that everyone involved in handling international data understands their responsibilities. If you're using Module 3 for sub-processors, monitor TIAs continuously to account for "onward transfers", where your vendor's sub-processors may operate in third countries.

By combining legal and operational measures, you can ensure your SCCs remain effective and up-to-date.

Updating SCCs for Regulatory Changes

Regulations are always changing, and your SCCs must keep pace. Revisit your TIAs whenever there are significant changes in the destination country's laws, your data processing activities, or the parties involved. Set up automated alerts to track regulatory updates, such as new adequacy decisions or changes to frameworks like the EU-US Data Privacy Framework.

Keep your transfer register updated and use software tools to flag outdated clauses and monitor regulatory developments. With the full enforcement of updated 2025 requirements expected to begin in early 2026, organizations should prepare for more system audits. Notably, 82% of companies reported better data access controls after adopting updated SCC terms, proving the benefits of staying ahead of regulatory changes.

Conclusion

Customizing SCCs is more than just ticking regulatory boxes - it’s about creating a strong foundation for seamless global operations. By aligning SCCs with your SaaS workflows, you not only shield your business from regulatory penalties but also build trust with customers and partners. As Celestine Bahr from Usercentrics puts it:

"Properly implemented SCCs signal that an organization takes data protection laws seriously, reducing regulatory risk and reinforcing customers' and partners' confidence."

The benefits of proactive data protection are clear. For instance, 82% of organizations report better data access controls after revising their contractual terms. Moving from static agreements to active governance ensures your SCCs adapt to your business's growth and the ever-changing regulatory landscape. This shift is critical, especially when 43% of enforcement actions in 2023 stemmed from issues with SCC implementation. Non-compliance can result in hefty fines of up to €20 million or 4% of global turnover.

To stay ahead, make SCC management a continuous effort. Conduct quarterly agreement reviews, update TIAs as circumstances evolve, and use automated tools to monitor compliance. These steps will help you navigate regulatory changes and avoid enforcement pitfalls. By prioritizing active SCC oversight today, you’re setting your global operations up for success in the future.

FAQs

Which SCC module should my SaaS use?

The SCC module you need for your SaaS business hinges on your role in data transfers. SaaS companies typically operate as either processors or controllers.

• If you're processing data on behalf of a controller, you'll need the Processor-to-Processor or Processor-to-Controller modules.
• For data controllers transferring information to third parties, the Controller-to-Controller or Controller-to-Processor modules are the right fit.

It's crucial to evaluate your role thoroughly and consult legal experts to ensure you're meeting GDPR requirements.

What details must be included in the SCC annexes?

The SCC annexes need to clearly outline critical details like the parties involved, the type of data being transferred, and the safeguards established to protect it. This typically includes identifying the data exporter and data importer, specifying the purpose of the transfer, and referencing the relevant SCC modules. Providing clear and thorough information is essential to ensure compliance with regulatory standards.

When do we need extra safeguards beyond SCCs?

When transfer impact assessments reveal heightened risks or when legal frameworks, such as the Schrems II ruling, call for stricter protections, extra precautions become essential. These might involve implementing encryption or other technical measures to secure data transfers and ensure compliance with regulatory standards.

Related Blog Posts

• SCCs and Third-Party Processors: Key Rules
• New SCCs: What Businesses Need To Know
• How to Implement SCCs for Cross-Border Data Transfers
• Key Compliance Requirements for Vendor Data Transfers