How SCC Clauses Protect Cross-Border Data

Standard Contractual Clauses (SCCs) are pre-approved legal agreements that ensure personal data transferred outside the European Economic Area (EEA) remains protected. They are essential for businesses transferring data to countries without an EU adequacy decision, such as the United States or India. SCCs help meet compliance with the General Data Protection Regulation (GDPR) by creating binding obligations between data exporters and importers.

Key points about SCCs:

• SCCs are based on Article 46(2)(c) of the GDPR and ensure EU-level protections for transferred data.
• They include modules tailored for different transfer scenarios: Controller-to-Controller, Controller-to-Processor, Processor-to-Processor, and Processor-to-Controller.
• A Transfer Impact Assessment (TIA) is required to evaluate the destination country’s legal framework, especially regarding government surveillance.
• Additional safeguards like encryption and pseudonymization are often necessary to address risks identified in the TIA.
• Non-compliance can lead to fines up to $20 million or 4% of global annual revenue, as seen in Meta’s €1.2 billion fine in 2023.

Standard Contractual Clauses (SCC) - What Are They? - Data Transfers

sbb-itb-5f36581

What Are Standard Contractual Clauses?

Standard Contractual Clauses (SCCs) are pre-approved agreements designed to ensure that data transferred outside the European Economic Area (EEA) is protected with safeguards equivalent to those in the EU. Since these clauses are pre-approved by the European Commission, organizations don't need to seek separate approval from data protection authorities when using them.

Legal Basis of SCCs

SCCs derive their authority from Article 46(2)(c) of the General Data Protection Regulation (GDPR). This legal framework allows data transfers to third countries, provided that appropriate safeguards are in place. One important feature of SCCs is that they grant third-party beneficiary rights. This means that individuals whose data is being transferred can directly enforce their rights against both the data exporter and importer.

The core text of SCCs must remain unchanged. However, organizations can include additional modules, annexes, or supplementary safeguards to address specific needs, as long as these additions don't alter the standardized language.

"The New Transfer SCCs certainly solve some headaches from a practical perspective... However, clients must be aware that this is not a one-time paperwork exercise."

• Nils Müller, Partner at Eversheds Sutherland

When SCCs Are Required for Data Transfers

SCCs are essential for transferring personal data from the EEA to countries that lack an adequacy decision from the European Commission. For example, in the United States, SCCs are required unless the recipient is certified under the EU–US Data Privacy Framework (DPF). Many organizations rely on SCCs as a fallback safeguard, especially in case the DPF faces legal challenges.

The consequences of non-compliance are severe. Unauthorized data transfers can result in fines of up to $20 million or 4% of a company’s global annual revenue - whichever is higher. A notable case occurred in 2023 when Meta was fined €1.2 billion for unauthorized EU–US data transfers, marking the largest GDPR penalty to date.

Key Clauses That Protect Data in SCCs

Standard Contractual Clauses (SCCs) create binding obligations to ensure EU-level data protection during international data transfers. These clauses are essential for compliance and for protecting individuals' rights when their data crosses borders. Here's how key provisions within SCCs achieve this.

Purpose and Scope of Data Transfers

SCCs are built to ensure comprehensive protection for international data transfers, starting with a clear definition of the transfer's purpose and scope.

Annex I.B outlines the scope of data transfers. It requires organizations to specify the types of personal data being transferred (e.g., sensitive data), the categories of individuals involved (such as customers or employees), the frequency of transfers, and the intended purposes for processing.

The purpose limitation clause ensures that data is only used for the purposes outlined in Annex I.B. For instance, if customer email addresses are collected for order confirmations, they cannot be used for marketing without explicit consent.

Clause 7.1 strengthens control in Controller-to-Processor and Processor-to-Processor relationships by mandating that importers process data strictly according to the exporter's documented instructions.

Clause 14 requires organizations to conduct a Transfer Impact Assessment (TIA). This assessment ensures that the recipient country’s laws do not conflict with SCC obligations, preserving GDPR-level protections.

"The New Transfer SCCs and EDPB Recommendations introduce a renewed focus on the principle of accountability in the GDPR and the need to not only comply but demonstrate compliance." - Marie McGinley, Partner, Eversheds Sutherland

Regulators view incomplete or vague details in Annex I.B as a red flag for non-compliance, so organizations should avoid generic descriptions.

Data Protection Obligations for Exporters and Importers

SCCs define clear roles and responsibilities for both data exporters and importers during a transfer.

Data exporters must ensure that importers meet their obligations by implementing appropriate technical and organizational safeguards. This includes conducting a TIA before initiating transfers.

Data importers are required to take strong security measures, such as encryption and pseudonymization, to protect data. They must notify exporters immediately of any breaches and keep detailed records of their processing activities.

Clause 15 addresses government access requests. If public authorities demand access to transferred data, importers must notify exporters promptly and challenge requests that appear unlawful or excessive.

According to the IAPP-EY Annual Privacy Governance Report, 88% of companies rely on SCCs for international data transfers. However, only 34% of global businesses have properly documented transfer mechanisms, exposing them to compliance risks. Violations could lead to fines of up to $20 million or 4% of global annual revenue.

Transparency and Individual Rights

SCCs go beyond technical measures by empowering individuals with transparency and enforceable rights.

Data subjects are granted third-party beneficiary rights, allowing them to directly enforce certain clauses against exporters or importers. They can file complaints with supervisory authorities or pursue disputes in EU courts, and importers must accept the jurisdiction of these bodies.

Individuals must be informed about the types of data being processed and the purposes behind it. For Controller-to-Controller arrangements under Module 1, exporters are required to provide a copy of the SCCs upon request.

In Controller-to-Processor and Processor-to-Processor relationships, importers must assist exporters in addressing data subject rights requests, such as access, correction, or deletion of data. Many organizations implement a 72-hour breach notification policy to address such issues promptly.

Additionally, individuals have the right to avoid decisions based solely on automated processing, including profiling, that could have legal or significant effects on them. To make these rights accessible, organizations should designate a single contact point for data subject requests and outline clear procedures for handling erasure, rectification, and restriction requests in their agreements.

Additional Measures to Strengthen SCCs

Standard Contractual Clauses (SCCs) serve as legal agreements for data transfers but require extra safeguards, especially after the Schrems II ruling. These additional measures aim to address legal gaps in countries with extensive surveillance powers. Two key components of these safeguards are Transfer Impact Assessments (TIAs) and strong technical and organizational security measures.

Transfer Impact Assessments

A Transfer Impact Assessment (TIA) evaluates whether the legal framework of the destination country offers protections comparable to EU law. This process involves several steps:

• Mapping the data transfer.
• Assessing the third country's legal environment.
• Applying necessary supplementary measures.
• Maintaining thorough documentation.

Organizations are advised to review TIAs annually or when there are changes in the laws of the destination country. In 2023–2024, EU Data Protection Authorities (DPAs) issued 127 corrective actions related to international transfers, with inadequate TIAs being the most common violation. However, companies that follow a structured TIA process and use customer-managed encryption have seen a 60% drop in DPA examination findings.

If a TIA uncovers risks - like surveillance laws lacking judicial oversight - that undermine SCC protections, the transfer must be stopped unless effective supplementary measures are applied.

"If no supplementary measures can effectively address the identified risks, you must suspend the transfer. This is the hard reality of Schrems II." - Vision Compliance

Technical and Organizational Security Measures

To bolster SCCs, technical and organizational safeguards play a critical role in protecting data.

Technical Measures: These measures ensure that data remains inaccessible to unauthorized parties, regardless of local legal conditions. Examples include:

• End-to-end encryption, where only the data exporter holds the decryption keys.
• Pseudonymization, with mapping tables stored exclusively in the EEA.
• Split processing, which prevents any single importer from accessing complete datasets.

In February 2023, Bloomreach enhanced its Data Transfer Impact Assessment by introducing advanced safeguards such as SOC 2 (Type 2) compliance, VPN and endpoint security, and TLS protocols to reduce surveillance risks.

Organizational Measures: These focus on internal processes and governance, such as:

• Appointing a Data Protection Officer (DPO) or Chief Information Security Officer (CISO).
• Implementing robust data governance policies.
• Conducting regular GDPR compliance training.
• Establishing incident management and business continuity plans.

While contractual measures - like commitments to challenge government data requests or issuing transparency reports - are helpful, they are limited in scope. They cannot prevent governments from enforcing their legal powers to obtain data.

"Technical measures provide the strongest protection against government access - contractual measures alone are insufficient." - Marc ten Eikelder, Kiteworks

How to Implement SCCs in Your Organization

Steps to Adopt SCCs

Start by mapping out your data flows to pinpoint all international transfers, including those involving sub-processors. This exercise should detail the categories of data subjects, the type of personal data being shared, and the purpose behind each transfer.

Next, choose the right module based on your relationship with the data recipient:

• Module 1: For Controller-to-Controller transfers, such as sharing employee data between different group entities.
• Module 2: For Controller-to-Processor relationships, like using a cloud service provider outside the EEA.
• Module 3: For Processor-to-Processor transfers, when your service provider works with a sub-processor in another country.
• Module 4: For Processor-to-Controller scenarios.

Complete Annexes I–III with detailed information. Annex I should describe the parties and transfers; Annex II should outline specific security measures, such as AES-256 encryption or multi-factor authentication; and Annex III should document sub-processors. Regulators expect precise details, so avoid vague descriptions of your security practices.

Perform a Transfer Impact Assessment (TIA) to evaluate risks tied to the legal framework of the recipient country. Document your findings and review them annually or when legal changes occur. If risks are identified, implement additional safeguards like end-to-end encryption where you control the decryption keys.

"If no supplementary measures can effectively address the identified risks, you must suspend the transfer. This is the hard reality of Schrems II." - Vision Compliance

For transfers to the United States, check dataprivacyframework.gov to see if your recipient is certified under the EU–US Data Privacy Framework. Even with certification, maintaining SCCs as a backup is wise to ensure continuity if the framework faces legal challenges.

Following these steps can help you integrate SCCs into your operations effectively.

Aligning SCCs with Existing Data Processes

To streamline processes, incorporate SCCs into broader agreements, such as Master Service or Data Processing Agreements, where commercial terms align with data protection standards. This approach minimizes redundancy since modern SCCs already cover Article 28 GDPR requirements for processor obligations.

Leverage the optional "docking clause" (Clause 7) to allow new affiliates or sub-processors to join existing agreements without renegotiating the entire contract. This flexibility is especially useful for companies with evolving vendor relationships or growing international operations.

For controller-to-processor relationships, provide clear operational instructions. These "documented instructions" can be communicated through online tools, technical signals, or written protocols that outline how processors should handle personal data. Ensure a 72-hour breach notification timeframe to meet the "undue delay" requirement.

Finally, update your internal privacy policies and public-facing notices to reflect disclosures about onward transfers and data subject rights under SCCs. According to the IAPP-EY Annual Privacy Governance Report 2019, 88% of organizations rely on SCCs as their main method for cross-border data transfers.

Conclusion

Standard Contractual Clauses (SCCs) are far more than just a regulatory checkbox - they form a crucial legal backbone for businesses transferring personal data beyond the EU/EEA. With only a handful of countries meeting the EU's data protection standards, SCCs remain the primary solution for lawful international data transfers.

The risks of neglecting these safeguards are stark. Take Meta's €1.2 billion fine in May 2023 for unauthorized EU–US data transfers as a cautionary tale. Such penalties can reach up to €20 million or 4% of a company’s global annual turnover, underscoring the importance of compliance.

"The New Transfer SCCs and EDPB Recommendations introduce a renewed focus on the principle of accountability in the GDPR and the need to not only comply but demonstrate compliance." - Marie McGinley, Partner, Eversheds Sutherland

In the wake of Schrems II, businesses must do more than sign agreements. Conducting Transfer Impact Assessments, adopting additional technical measures like encryption, and staying updated on legal shifts in destination countries are all critical steps. If your organization is still using the outdated 2010 SCCs, it’s time for an immediate upgrade.

To stay ahead, integrate SCCs into your overall data protection strategy. Whether you’re leveraging the EU–US Data Privacy Framework or relying solely on SCCs, keeping thorough documentation and performing regular compliance reviews will help protect personal data and demonstrate accountability to regulators.

FAQs

Do SCCs alone make an EU-to-US data transfer legal?

No, Standard Contractual Clauses (SCCs) by themselves do not automatically make data transfers from the EU to the US legal. While SCCs are an important legal tool, they must be paired with compliance to other GDPR requirements and take into account the specific details of the transfer to ensure everything is above board.

What should a Transfer Impact Assessment (TIA) include?

A Transfer Impact Assessment (TIA) is a process to determine whether the country receiving data offers data protection standards that align closely with those of the EU.

To carry out a TIA, you need to focus on several key elements:

• Details of the data transfer: This includes identifying the data exporter and importer, outlining the types of data being transferred, the purpose of the transfer, and the legal mechanism used for the transfer.
• Legal environment of the destination country: Understand the laws and regulations in the recipient country, particularly those related to data privacy and government access to information.
• Potential risks: Evaluate any risks tied to the transfer, such as the possibility of unauthorized government access to the data.
• Safeguards in place: Document protective measures like encryption, pseudonymization, or data minimization techniques.

Once these factors are reviewed, assess whether additional steps are needed to ensure compliance with GDPR requirements. This helps confirm that the data transfer aligns with EU standards for privacy and security.

Which SCC module should we use for our vendor or sub-processor?

When selecting the appropriate SCC (Standard Contractual Clauses) module for your data transfer, consider the nature of your relationship and roles in the exchange:

• Module 1: Use this if the data transfer is between two controllers (Controller to Controller).
• Module 2: This applies when a controller transfers data to a processor (Controller to Processor).
• Module 3: Choose this for transfers between processors (Processor to Processor).

Carefully evaluate your specific situation to ensure you're using the correct module for compliance.

Related Blog Posts

• SCC Challenges After Schrems II: What to Know
• Key Compliance Requirements for Vendor Data Transfers
• Customizing SCCs for SaaS Companies
• Cross-Border Data Transfers: Privacy Shield vs. SCCs