Standard Contractual Clauses (SCCs) are pre-approved contractual templates published by the European Commission that, when concluded between a data exporter in the EEA and a data importer in a third country, satisfy the GDPR Article 46 requirement for appropriate safeguards. The current SCCs, adopted by Commission Implementing Decision (EU) 2021/914, replaced the outdated 2001 and 2010 versions and introduced a modular structure covering controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfer scenarios.
Parties must complete the SCCs without altering the core protective clauses, though they may add supplementary contractual terms provided these do not contradict the pre-approved text. Alongside executing the SCCs, parties must conduct a Transfer Impact Assessment (TIA) to evaluate whether the laws and practices of the destination country impair the protection the SCCs provide. Where significant risks are identified, supplementary technical or organisational measures, such as encryption or pseudonymisation, must be implemented.
Companies using the 2010 version SCCs were required to migrate to the 2021 SCCs by 27 December 2022. HR and payroll departments should audit all third-country vendor contracts, including cloud HR systems and global payroll platforms, to confirm that valid 2021-format SCCs are in place and that TIAs have been documented.