Standard clauses adopted by the Commission

Personal data can also be transferred out of the EU and EEA under the standard contractual clauses (SCC) adopted by the Commission. An 18-month transition period has been set for the adoption of the updated standard clauses. The transition period will end on 27 December 2022.

The transfer can be based on SCCs if both parties are contractually bound to observe them.

SCCs can be used for transfers

  • between two controllers;
  • between a controller and processor;
  • between a processor and controller; and
  • ​​​​​​​between two processors

The controller determines the purposes and means of the processing of personal data.

The processor processes personal data on behalf of the controller and according to its instructions.

The SCCs specify the obligations of both the exporter and importer of the data related to the protection of personal data.

Using SCCs as a transfer basis does not require the permission of the data protection authorities as long as changes are not made to the content of the SCCs.

When using standard contractual clauses, it must be checked on a case-by-case basis if a level of protection of personal data that meets the EU requirements is guaranteed for the transfer of personal data, and the need for supplementary safeguards must be assessed.

Standard clauses for data transfers to third countries

Old standard clauses in the EUR-Lex online service:

Amendments to the SCCs

The European Commission approved the updated standard clauses in June 2021, and they entered into force on 27 June 2021. The new standard clauses for the transfer of personal data to third countries replace the previous standard clauses for international transfers of data.

The standard clauses were updated to correspond to the requirements of the Schrems II decision issued by the CJEU. The Commission has developed questions and answers to provide practical guidance on the use of the SCCs:

Answers to frequently asked questions about SCCs (pdf)

Transfer of personal data from a controller to a processor

If personal data is transferred from a controller to a processor of personal data, both parties are also required to comply with the GDPR’s requirements concerning the use of processors (Article 28). These requirements are taken into account in the new standard clauses for transfers of data.​​​​​​​

Read more about the responsibilities of processors