Blog

New SCCs: Key Changes and Deadlines

By
The Reform Team
Use AI to summarize text or ask questions

If your company still sends EU personal data outside the EEA, the old SCC deadlines are over - but the work is not. As of July 2, 2026, every active transfer should use the 2021 SCCs, match the right module, include a current Transfer Impact Assessment (TIA), and have specific annexes. If not, you still face GDPR transfer risk, including fines of up to $23.6 million or 4% of global annual revenue (using the euro amount stated in the source article: €20 million).

Here’s the short version:

  • June 4, 2021: the EU adopted the new SCCs
  • September 27, 2021: old SCCs stopped working for new deals
  • December 27, 2022: old SCCs had to be replaced in existing deals
  • The new SCCs added 4 modules: C2C, C2P, P2P, and P2C
  • They also built in Article 28 processor terms, a docking clause, and TIA duties under Clause 14
  • In 2026, the main risk is not the signature date - it’s stale TIAs, weak annexes, and poor sub-processor tracking
  • EU-U.S. transfers still need close review, especially where U.S. access laws may affect importer compliance

What I take from the article is simple: SCC compliance is no longer just a contract task. It is a review process that needs current facts on vendor roles, destination country, data types, retention, sub-processors, and security controls like AES-256 encryption, MFA, and pseudonymization.

How to meet the Standard Contractual Clauses (SCCs) deadline with Gatekeeper

Gatekeeper

Quick comparison

Topic Old SCCs New SCCs
Structure Separate clause sets One modular framework
Transfer types C2C, C2P C2C, C2P, P2P, P2C
Article 28 terms Separate DPA needed Built into the clauses
Multi-party use Limited Docking clause allows added parties
TIA duty Not built in Required under Clause 14
Status in 2026 No longer valid for active transfers Required for SCC-based transfers

Bottom line: if I were checking transfers today, I would focus less on old transition dates and more on whether each transfer is still supported by the right module, a live TIA, and clear Annex I, II, and III details.

What Changed in the New SCCs

One Modular Framework Replaced the Old SCC Sets

The old SCCs came in three separate sets, published in 2001, 2004, and 2010. The new framework replaces those with one modular document that covers C2C, C2P, P2P, and P2C transfers.

That shift matters in practice. The legacy SCCs did not cover P2P or P2C transfers, even though those setups show up all the time in modern vendor chains. A company might use one processor, which then uses another processor, or a processor may send data back to a controller. Under the old model, that gap created friction. Under the new one, businesses pick the module that fits the transfer relationship.

Those structural shifts also set up the migration deadlines and review duties covered next.

New SCC Features That Affect Implementation

Two features do most of the heavy lifting during implementation. They shape how companies onboard vendors, document party roles, and keep transfer records in order.

The docking clause (Clause 7) lets new parties join an existing SCC agreement over time, either as exporters or importers.

The other big change is Integrated Article 28 terms. The new SCCs fold in the processor duties required by GDPR Article 28. In plain English, that means a separate Data Processing Agreement may be folded into the SCCs when the SCCs serve as the governing transfer terms. If an organization already has DPAs in place, it still needs to check them line by line for conflicts, because the SCCs take priority over other contract terms.

The transparency rules also got tighter. Importers acting as controllers may have direct breach-notification duties in some cases. And Annex II can't stay vague. It must describe technical and organizational measures with enough detail to be specific.

Old vs. New SCCs: A Side-by-Side Comparison

The table below shows the main differences between the legacy clauses and the current modular framework.

Feature Legacy SCCs (2001, 2004, 2010) New GDPR-Era SCCs
Structure Separate, rigid sets of clauses Single document with four modules
Transfer Scenarios C2C and C2P only C2C, C2P, P2P, and P2C
Article 28 Coverage Not included; required a separate DPA Fully integrated into the clauses
Multi-party Use Designed for two parties Supports additional parties via the docking clause
Schrems II / TIA Not addressed Mandatory Transfer Impact Assessment (Clause 14)

These updates also changed migration timing and the need for repeat reviews, which the next section covers.

EU Standard Contractual Clauses (SCCs): Key Dates & Compliance Milestones

EU Standard Contractual Clauses (SCCs): Key Dates & Compliance Milestones

The Key SCC Transition Dates Businesses Had to Meet

The timeline itself was straightforward. The work behind it was anything but.

Date What It Meant
June 4, 2021 European Commission officially adopted the new SCCs
September 27, 2021 Legacy SCCs could no longer be used for new contracts
December 27, 2022 Final deadline to replace legacy SCCs in existing contracts

As of 2026, those cutoff dates are behind us. What matters now is steady review, clean records, and close vendor oversight. In plain English: the deadlines are old news, but the compliance load did not disappear. It shifted into day-to-day review and documentation.

Why Schrems II Changed How SCCs Must Be Used

Schrems II changed the way SCCs work in practice. It made them conditional on a transfer-by-transfer assessment and, when needed, supplementary measures.

That’s where Transfer Impact Assessments (TIAs) come in. Clause 14 of the new SCCs says the parties must assess whether the laws of the destination country - especially surveillance laws such as FISA Section 702 in the United States - keep the data importer from meeting its SCC duties. If a TIA shows a problem, the parties must put supplementary measures in place. Those can be technical, contractual, or organizational safeguards. If none of those measures fixes the gap, the transfer has to stop or be suspended.

The EDPB Recommendations 01/2020 give businesses a practical path to follow. They explain how to map transfers, review the legal setting in the destination country, and document the safeguards used.

Where Businesses Still Face Exposure in 2026

Even if an organization finished its migration by December 27, 2022, gaps can still remain. Most of them come back to two things: weak documentation and poor vendor visibility.

Incomplete annexes still show up all the time. Annex I needs to spell out the nature of the data, the categories of data subjects, and retention periods. Annex II must describe technical and organizational security measures in specific terms, not broad or generic language.

The other big issue is sub-processor visibility. If a data importer sends data onward, Annex III has to stay current, and the importer needs the right agreements in place for those onward transfers. Supervisory authorities can ask to see TIAs and full annexes. So a missing TIA - or one that says very little - isn’t just a paperwork issue. It’s the sort of gap that gets attention from regulators. TIAs also are not one-and-done documents. They need updates when laws change, vendors change, or processing activities change.

That’s why SCC compliance now depends on a repeatable intake and review process. The answer is a structured migration and review workflow.

How to Update SCC Compliance Without Slowing the Business

A Step-by-Step Migration and Review Process

Use a repeatable workflow to match each transfer to the right SCC module, fill in the annexes, and document the TIA. Once the SCC rules are set, the next step is day-to-day execution: get the right transfer facts before review starts.

For each transfer, confirm:

  • exporter and importer roles
  • destination country
  • data categories
  • onward transfers to sub-processors
  • retention periods

Those details decide which module applies and what the annexes need to cover.

Once the right module is set, attention moves to the annexes. Annex II should spell out specific controls, such as AES-256 encryption, multi-factor authentication, pseudonymization, and incident response protocols. Complete a TIA for each transfer, document any supplementary measures, and update the assessment when the transfer changes. If a TIA shows a gap that no technical or contractual measure can fix, the transfer must stop.

How Structured Intake Workflows Improve SCC Accuracy

The biggest slowdowns usually come from missing intake data. When procurement brings in a new vendor without the right details up front, legal and privacy teams can lose days tracking down answers that should have been gathered before legal review even began.

A structured intake form fixes that problem. Before any vendor contract moves ahead, the form should collect exporter and importer roles, the purpose of the transfer, data categories, whether onward transfers to sub-processors are involved, storage locations, and any known government access concerns in the destination country. That intake data then feeds module selection, annexes, and the TIA.

Reform supports this workflow directly by adding a structured intake layer that gathers the transfer facts legal and privacy teams need before SCC review starts.

For EU-U.S. transfers, the same workflow also needs to flag destination-law risk and supplementary measures.

U.S. Considerations and Final Takeaways

Why EU-U.S. Transfers Need Closer Review

The toughest SCC problems in 2026 show up in EU-U.S. transfers. That’s where legal access risk, plus the right supplementary measures, can make or break the safeguard.

EU-U.S. transfers need closer scrutiny because U.S. disclosure laws can force access to data even when that data is stored outside the United States. That sets up a direct clash with GDPR Article 48, which generally bars transfers based on third-country court orders unless an international agreement is in place. SCCs, by themselves, don’t fix that problem.

The DPF can help when you work with certified vendors. But SCCs and TIAs still need to be the starting point.

For sensitive data, end-to-end encryption with EU-held keys is still one of the strongest supplementary measures against U.S. government access risk.

Conclusion: Key Changes and Deadlines to Remember

Legacy 2001 and 2010 SCCs became invalid on December 27, 2022, so any active transfer that relies on SCCs should already be using the right modular framework. If you use the wrong module, the SCCs don’t work.

In 2026, compliance is less about paperwork sitting in a folder and more about upkeep. Review TIAs at least once a year. Update Annex II and Annex III any time laws, vendors, or transfer flows change.

The enforcement risk is big. Regulators have issued more than €2 billion in fines for transfer violations since 2023, and non-compliant transfers can lead to penalties of up to €20 million or 4% of global annual turnover.

That leaves one plain rule for 2026: every active transfer should appear in the ROPA, match the right module, rest on a current TIA, and include specific Annex II controls.

FAQs

How do I choose the right SCC module?

Choose the module based on the roles each party plays in the data transfer.

  • Module One: controller-to-controller
  • Module Two: controller-to-processor
  • Module Three: processor-to-processor
  • Module Four: processor-to-controller

Pick the module that fits the functional setup of your transfer. The new SCCs sit within a single agreement, so you can use the sections that apply to your arrangement.

When should a TIA be updated?

A Transfer Impact Assessment (TIA) needs an update when changes in the relevant legal framework affect the level of protection for transferred personal data.

Organizations need to conduct and document these assessments to review the destination country's laws and practices. They also need to make them available for review on request.

What should the SCC annexes include?

The Standard Contractual Clauses include an Appendix with three annexes that both parties need to fill out.

Those annexes should cover:

  • the data transfer itself, including any onward transfers
  • the importer’s technical and organizational security measures
  • details about sub-processors

This matters for compliance. It also helps make sure the data processing chain is described clearly and correctly.

Related Blog Posts

Use AI to summarize text or ask questions

Discover proven form optimizations that drive real results for B2B, Lead/Demand Generation, and SaaS companies.

Lead Conversion Playbook

Get new content delivered straight to your inbox

By clicking Sign Up you're confirming that you agree with our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The Playbook

Drive real results with form optimizations

Tested across hundreds of experiments, our strategies deliver a 215% lift in qualified leads for B2B and SaaS companies.