Standard Contractual Clauses
aka SCCs, EU SCCs
Pre-approved contractual templates issued by the European Commission for transferring personal data outside the EEA. The default fallback when no adequacy decision applies.
Last reviewed April 2026
Definition
Standard Contractual Clauses (SCCs) are template contractual terms approved by the European Commission that, when incorporated into a contract between a data exporter in the EEA and a data importer outside the EEA, provide a valid transfer mechanism under Article 46 of the GDPR. The current SCCs were adopted in June 2021 (Decision 2021/914) and replaced the older 2010 controller-to-processor and 2001/2004 controller-to-controller clauses. They cover four modules: controller to controller, controller to processor, processor to processor, and processor to controller. The 2021 SCCs cannot be modified except to add the parties' identities, the technical and organisational measures, and the local-law assessment outcomes; using older 2010-era SCCs has been invalid since 27 December 2022. After Schrems II, SCCs alone are not sufficient for a transfer to a third country whose surveillance law is judged by the CJEU to fall short of EU standards (notably the US prior to the 2023 DPF). A Data Transfer Impact Assessment (DTIA) is required to confirm whether supplementary measures are needed.
Why it matters for software choice
Software contracts that still reference 2010-era SCCs are technically using an invalid transfer mechanism. Verify the data processing agreement points to the 2021 SCCs (Decision 2021/914) and that the correct module is selected for the controller/processor relationship.
Authority sources
- European Commission: Standard Contractual Clauses (commission.europa.eu)
- Decision 2021/914 on SCCs (eur-lex.europa.eu)
Software categories this affects
Vendors covered by this term
HubSpot CRM
Free CRM with marketing automation, widely adopted by Irish tech and services firms
Salesforce
Enterprise CRM with EU data centres and a strong Irish partner ecosystem
Microsoft Copilot
AI assistant integrated into Microsoft 365, with EU data boundary for European customers
ChatGPT Enterprise
OpenAI's enterprise AI assistant with advanced reasoning, data analysis, and custom GPTs
Mailchimp
The world's most widely used email marketing platform, with a generous free tier for small lists
Klaviyo
Ecommerce-focused email and SMS marketing with deep Shopify and WooCommerce integration
Related terms
Data Residency (EU vs US)
Where customer personal data is stored and processed. Storing inside the EU/EEA simplifies GDPR compliance; processing in the US triggers transfer-mechanism obligations under Schrems II.
Data Protection Commission
Ireland's national data protection authority. Lead supervisory authority for many large US tech companies headquartered in Dublin under the GDPR's one-stop-shop mechanism.
Data Transfer Impact Assessment
Documented assessment of whether a non-EEA jurisdiction provides essentially equivalent protection for personal data, required after Schrems II for transfers under SCCs.
Data Processing Agreement
Mandatory contract under GDPR Article 28 between a data controller and a data processor. Sets out subject matter, duration, processing purposes, and required security measures.