Art.46.SCCs GDPR

GDPR Art.46.SCCs: Standard Contractual Clauses Implementation

What This Control Requires

The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).

In Plain Language

SCCs are the workhorse of international data transfers. These pre-approved contractual terms from the European Commission provide appropriate safeguards without needing supervisory authority sign-off. The current version, adopted in June 2021 (Decision 2021/914), replaced all previous sets and uses a modular approach: Module 1 for controller-to-controller, Module 2 for controller-to-processor, Module 3 for processor-to-processor, and Module 4 for processor-to-controller transfers. Signing SCCs alone is no longer enough, though. After Schrems II, you must run a Transfer Impact Assessment for each transfer to verify that the destination country's legal framework actually lets the importer comply with the SCCs in practice. If the assessment turns up problems, supplementary measures need to go alongside the SCCs. The 2021 SCCs introduced several useful features: a docking clause that lets additional parties join existing SCCs without starting from scratch, detailed sub-processor management requirements, specific provisions for handling government access requests, and mandatory audit rights. The annexes require you to describe the specific transfer arrangements in detail - parties, data categories, purposes, security measures, and any restrictions.

How to Implement

Choose the right SCC module for each transfer based on the actual roles of the parties. Module 1 (C2C) is for two independent controllers. Module 2 (C2P) is for a controller sending data to a processor. Module 3 (P2P) is for a processor engaging a sub-processor abroad. Module 4 (P2C) covers a processor transferring data back to a controller in a third country. You can combine multiple modules in a single agreement if a party wears different hats. Complete every clause and annex for your chosen module. The main body covers purpose, scope, third-party beneficiary rights, hierarchy with other agreements, the transfer description, data protection safeguards, sub-processor management, data subject rights, liability, supervisory authority oversight, termination, governing law, and jurisdiction. Do not alter the clause text - use it as adopted. You can select between optional provisions where choices are offered. Fill in Annex I (party details, transfer description, competent supervisory authority), Annex II (technical and organisational measures), and where relevant, Annex III (sub-processor list). Be specific and honest in these annexes. Generic boilerplate is a compliance failure waiting to happen. Annex II must describe real security measures actually in place at both the exporter and importer, not aspirational ones. Integrate SCCs into your vendor management and DPA framework. You can append or incorporate SCCs into existing DPAs, as long as the SCCs take precedence in case of conflict. Maintain a register of all executed SCCs tracking parties, modules, transfer descriptions, execution dates, and review dates. Set calendar reminders for periodic review. Run a Transfer Impact Assessment for each set of SCCs before or at execution time. The TIA evaluates whether the importer can actually honour the SCCs given local laws. Document the assessment, any supplementary measures you put in place, and your reasoning for concluding the transfer is adequately protected. Revisit the TIA whenever the destination country's legal landscape changes.

Evidence Your Auditor Will Request

Executed SCCs with correct module selection for each international transfer
Completed Annexes I, II, and III with specific, accurate transfer descriptions
Register of all executed SCCs with tracking of parties, modules, and review dates
Transfer Impact Assessments conducted for each set of SCCs
Evidence of SCC integration into broader DPA and vendor management framework

Common Mistakes

Using the wrong SCC module for the parties' actual roles (e.g., using C2P when the relationship is C2C)
Annexes completed with generic descriptions that do not accurately describe the specific transfer
SCCs executed without conducting the required Transfer Impact Assessment
Using outdated SCC versions (pre-June 2021) for new transfers
No register or tracking system for executed SCCs, leading to expired or unreviewed clauses

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.20	Related
ISO 27001	A.5.34	Related

Frequently Asked Questions

Can we modify the text of the SCCs?

No. The clause text must be used exactly as the Commission adopted it. You can select between optional provisions where choices are offered (like the docking clause or governing law), and you fill in the annexes with your specific details. You can add extra contractual terms in the broader agreement, but they must not contradict or undermine the SCCs.

What is the docking clause and should we use it?

Clause 7 lets additional parties join existing SCCs as either exporters or importers without executing a whole new set. It is handy for multi-party arrangements, group companies coming onboard, or new vendors being added to an existing SCC structure. If you anticipate adding parties over time, include it from the start - it saves significant administrative effort.

How often should we review our SCCs?

There is no hard rule, but annual review is good practice. Beyond that, review whenever something material changes - new data categories, changed purposes, new sub-processors, or shifts in the destination country's legal framework. Always review the associated Transfer Impact Assessment at the same time. Stale SCCs with outdated annexes are a common audit finding.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment