EU/EEA & United Kingdom · Last reviewed April 2026

Standard Contractual Clauses: a plain English guide for startups

When do you need SCCs for GDPR data transfers? What is the UK IDTA? This guide explains SCCs, their four modules, and how to implement them — with statutory citations.

P
PrivacyLawApplies.com Editorial Team
CAMS · AIGP (IAPP) · Reviewed April 2026
Key point: SCCs are the most common transfer mechanism for startups

If you transfer personal data from the EU/EEA to a country without an EU adequacy decision — such as the United States — you need a transfer mechanism. Standard Contractual Clauses are the most common mechanism used by startups and small businesses.

What are Standard Contractual Clauses?

SCCs are pre-approved contract clauses adopted by the European Commission under Art. 46(2)(c) GDPR that allow the transfer of personal data from the EU/EEA to third countries — that is, countries without an EU adequacy decision. They bind the data exporter and data importer to GDPR-equivalent data protection obligations.

The current EU SCCs were adopted on 4 June 2021 via Commission Implementing Decision (EU) 2021/914 and replaced the old 2001/2004 SCCs. The new SCCs introduced a four-module structure covering different transfer scenarios, and added clauses for processor-to-processor transfers that the old SCCs did not address.

Because SCCs are pre-approved by the European Commission, organisations do not need prior authorisation from a supervisory authority (DPA) to use them — they simply need to ensure the correct module is selected and the clauses are properly executed.

Art. 46 GDPRCommission Implementing Decision (EU) 2021/914

When do you need SCCs?

You need SCCs (or another Art. 46 mechanism) whenever you transfer personal data from the EU/EEA to a country that does not have an EU adequacy decision. Key trigger scenarios for startups include:

  • Using a US-based SaaS tool that processes EU user data (e.g. HubSpot, Mailchimp, AWS, Stripe)
  • Sending EU customer data to a US-based analytics provider
  • Offshoring data processing to a non-adequate country
Countries with EU adequacy (no SCCs needed)
  • UK (adequacy decision June 2021, subject to review)
  • Canada (PIPEDA-covered organisations)
  • Switzerland
  • Japan
  • South Korea
  • Israel
  • Argentina
  • New Zealand
Countries without adequacy (SCCs needed)
  • USA
  • India
  • Brazil
  • China
  • UAE
  • Australia (no EU adequacy decision)
Art. 45 GDPR (adequacy)Art. 46 GDPR (appropriate safeguards)

The four modules of the 2021 EU SCCs

You must select the module that matches your transfer scenario. Only one module applies per transfer relationship.

Module 1
Controller to Controller (C2C)

When both parties are controllers of the data.

Example: sharing customer data with a marketing partner.

Module 2
Controller to Processor (C2P)

Most common for startups. When you (controller) send data to a vendor (processor).

Example: sending EU user emails to Mailchimp.

Module 3
Processor to Processor (P2P)

When your processor subcontracts to another processor in a non-adequate country.

Module 4
Processor to Controller (P2C)

When a processor transfers data back to the controller in a non-adequate country.

Commission Implementing Decision (EU) 2021/914, Annex

Transfer Impact Assessments (TIAs)

After Schrems II (CJEU Case C-311/18, 16 July 2020), SCCs alone are not always enough. You must conduct a Transfer Impact Assessment (TIA) to verify that the SCCs can be effective in the destination country — that is, that the destination country's laws do not undermine the protections the SCCs are supposed to provide.

A TIA involves assessing the legal framework of the destination country, any relevant laws that allow government access to personal data, and whether supplementary measures are needed (such as encryption or pseudonymisation) to make the transfer effective.

For transfers to the US, the EU-US Data Privacy Framework (DPF), adopted in July 2023, now provides an adequacy basis for DPF-certified US companies — potentially removing the need for SCCs for those transfers entirely. Before executing SCCs with a US vendor, check whether they are DPF-certified.

Schrems II (C-311/18)EDPB Recommendations 01/2020Commission Implementing Decision (EU) 2023/1795

UK IDTAs — the UK equivalent of SCCs

Post-Brexit, EU SCCs do not apply to transfers of personal data from the UK. The UK equivalent is the International Data Transfer Agreement (IDTA), adopted by the ICO and approved by Parliament on 21 March 2022. The IDTA fulfils the same function as EU SCCs but operates under UK GDPR rather than EU GDPR.

The UK ICO also adopted an Addendum to the EU SCCs (the "UK Addendum") which can be used alongside EU SCCs. The UK Addendum is designed for organisations that are subject to both EU GDPR and UK GDPR and need a single document to cover both transfer regimes — rather than executing the full IDTA separately.

If your business operates across both the EU/EEA and the UK and transfers data internationally, you may need to execute both EU SCCs and the UK IDTA (or UK Addendum) with the same vendor.

UK GDPR Art. 46ICO IDTA (21 March 2022)

How to implement SCCs for your startup

A practical six-step implementation process for startups and small businesses.

  1. 1
    Identify all your data flows
    Map where EU/UK personal data goes, especially to US/non-adequate vendors.
  2. 2
    Check for adequacy decisions and DPF certification
    If your US vendor is DPF-certified, you may not need SCCs for that transfer.
  3. 3
    Select the right module
    Typically Module 2 (C2P) for SaaS tool transfers where you are the controller and the vendor is the processor.
  4. 4
    Countersign the SCCs
    Both parties must execute them; many vendors offer them via their DPA (Data Processing Agreement).
  5. 5
    Complete a Transfer Impact Assessment
    Document why the SCCs can be effective in the destination country.
  6. 6
    Record in your ROPA
    Document the transfer mechanism in your Records of Processing Activities (Art. 30 GDPR).

Frequently asked questions

Do US companies need SCCs?

US companies receiving EU personal data need to either be certified under the EU-US Data Privacy Framework (which provides adequacy for certified organisations) or execute SCCs with EU data exporters. If you are a US company receiving EU user data, your EU customers or partners may ask you to sign SCCs.

What replaced the old SCCs?

The old 2001 and 2004 SCCs were replaced by new EU SCCs on 27 September 2021 (deadline to migrate). The new 2021 SCCs (Commission Implementing Decision (EU) 2021/914) introduced the four-module structure and include clauses for processor-to-processor transfers not covered by the old SCCs.

Do SCCs apply to UK data transfers?

No. UK transfers use the IDTA (International Data Transfer Agreement) or the UK Addendum to the EU SCCs, both adopted by the UK ICO in March 2022. If you are subject to both EU GDPR and UK GDPR, you may need both sets of clauses.

What is the EU-US Data Privacy Framework?

The EU-US DPF is an adequacy decision adopted by the European Commission in July 2023 for US organisations certified under the DPF program (administered by the US Department of Commerce). DPF-certified US companies can receive EU personal data without SCCs. Check certification at dataprivacyframework.gov.

Can I use SCCs for any country?

SCCs can only be used for transfers to non-adequate countries where SCCs can actually be effective — i.e. where the destination country's laws do not prevent compliance. For certain countries (e.g. China), the local surveillance laws may make SCCs ineffective. You must conduct a TIA to assess this.

Related privacy law guides

GDPR
EU/EEA
View guide →
UK GDPR
United Kingdom
View guide →
Cookie Consent
All jurisdictions
View guide →

Find out which privacy laws apply to your business

Answer 13 questions and get a personalised privacy law checklist with statutory citations — including which transfer mechanisms you need for your international data flows.

Start free assessment →