Standard contractual clauses
ess-see-SEE
EU-approved contract templates that allow the lawful transfer of personal data from the EU to countries without equivalent data protection laws.
Standard contractual clauses are pre-approved contract terms created by the European Commission. They provide a legal basis for transferring personal data from the EU to countries that do not have an adequacy decision, like the United States.
After the Schrems II ruling invalidated the Privacy Shield framework in 2020, SCCs became the primary mechanism for US companies to receive EU personal data. The 2021 updated SCCs include four modules covering different transfer scenarios: controller to controller, controller to processor, processor to processor, and processor to controller.
For SaaS companies with EU customers, SCCs are mandatory. They are typically included as an annex to the DPA. The company must also conduct a transfer impact assessment to verify that the destination country's laws do not undermine the protections in the SCCs. Data residency requirements may add further constraints on where data can be stored.
Examples
A US-based SaaS company serves EU customers.
The company's DPA includes SCCs as an annex. When an EU customer asks how their data can be stored on US servers, the legal team points to the SCCs and the accompanying transfer impact assessment.
A European company evaluates a new vendor.
The vendor is based in India. The EU company's legal team checks whether the vendor has signed SCCs and conducted a transfer impact assessment before approving the relationship.
The EU-US Data Privacy Framework takes effect.
US companies that certify under the new framework can transfer EU data without SCCs. But many companies keep SCCs in place as a backup in case the framework is challenged in court, like Privacy Shield was.
Frequently asked questions
Are SCCs still needed after the EU-US Data Privacy Framework?
For transfers to the US, certified companies can rely on the framework. However, many companies maintain SCCs as a fallback since the framework could be challenged in court like its predecessor was.
Can SCCs be modified?
The core clauses cannot be changed. Companies can add supplementary measures and additional clauses, but the standard terms approved by the European Commission must remain intact.
Related terms
The European Union regulation that governs how companies collect, store, and process personal data of EU residents.
A contract between a data controller and data processor that defines how personal data will be handled, required under GDPR.
The requirement that data be stored and processed within specific geographic boundaries, often mandated by local laws or regulations.
A legal document that explains what personal data a company collects, how it uses that data, and how it protects it.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.