Standard Contractual Clauses

What are Standard Contractual Clauses?

‍Standard Contractual Clauses, commonly known as SCCs, are pre-approved template contract terms published by the European Commission that provide a lawful basis under the General Data Protection Regulation for transferring personal data from the European Economic Area to countries outside it. For Irish companies that use international service providers, have group companies overseas, or sell services to customers whose data flows outside the EEA, SCCs are one of the most commonly relied upon mechanisms to meet the GDPR's strict rules on international data transfers.

‍Under Chapter V of the GDPR, personal data can only be transferred outside the EEA to a third country where appropriate safeguards are in place to protect that data. The European Commission publishes a set of modular clauses that parties can incorporate into their own contracts, and these clauses carry the weight of a Commission adequacy mechanism. Where an SCC is properly executed, the parties are considered to have satisfied the requirement for appropriate safeguards without needing to negotiate bespoke data protection terms from scratch.

‍The current SCCs were adopted in June 2021 and replaced an earlier set that had been in force since 2010. The 2021 version is modular, meaning it contains four sets of clauses tailored to different relationships: controller to controller, controller to processor, processor to processor, and processor to controller. Parties select the module relevant to their relationship and complete the accompanying annexes with specific details about the transfer, the data involved, and the technical and organisational measures in place.

When do Irish companies need SCCs?

‍If your Irish company uses a cloud provider, CRM system, email platform, or any other service where personal data is hosted or processed outside the EEA, you probably need SCCs in place with that provider. The most common triggers are using US-based SaaS platforms such as Salesforce, HubSpot, AWS, or Google Workspace, engaging a contractor in a third country such as the UK, Canada, or India, or having an intra-group data flow where an Irish subsidiary transfers employee or customer data to a parent company outside the EEA.

‍For data transfers to the United States specifically, the position has evolved significantly. The original Privacy Shield framework was struck down by the Court of Justice of the European Union in 2020 in the Schrems II decision, which also reinforced the requirement for supplementary measures alongside SCCs when transferring data to jurisdictions with extensive surveillance laws. The EU-US Data Privacy Framework, adopted in July 2023, now provides an alternative adequacy mechanism for certified US organisations, but SCCs remain the fallback where the recipient is not certified under the framework.

‍Most major cloud and SaaS providers now automatically incorporate SCCs into their Data Processing Addendums, so a simple click-through during procurement often means the clauses are already in place. However, it is still your responsibility as the data controller to verify that the SCCs are appropriate, that the annexes accurately describe your use case, and that any supplementary measures required by the Schrems II judgment are addressed.

What the clauses require

‍The SCCs impose a detailed set of obligations on both the data exporter in the EEA and the data importer in the third country. The importer must process the data only on the exporter's documented instructions, implement appropriate security measures, notify the exporter of any personal data breach, assist with responding to data subject rights requests, and cooperate with supervisory authorities.

‍The clauses also contain commitments around onward transfers, meaning the importer cannot pass the data to another third party outside the EEA without ensuring equivalent protections are in place, typically through a further set of SCCs. Importers must also provide information about the laws and practices of the destination country that could affect the ability to comply with the SCCs, particularly surveillance and access by public authorities.

‍A key obligation introduced after Schrems II is the transfer impact assessment. Before relying on SCCs, the parties must assess whether the laws and practices of the importer's country provide a level of protection essentially equivalent to EU law. Where gaps are identified, the parties must implement supplementary measures such as encryption, pseudonymisation, or contractual protections to address those gaps. This assessment must be documented and reviewed periodically.

Practical steps for Irish companies

‍The first step is to map your data flows. Identify every third-party service that processes personal data on your behalf, every intra-group entity that receives data, and every contractor or partner that may access personal data from outside the EEA. Record the categories of data, the countries involved, and the purpose of the transfer.

‍For each transfer to a third country, check whether the destination is covered by an adequacy decision. If it is, no additional safeguard is needed. If not, check whether SCCs are in place through the provider's standard terms, and if so, verify the annexes are complete and accurate. Where SCCs are not in place, request them from the counterparty or terminate the transfer. Any bespoke transfer that is not routed through a provider's standard framework will require your own execution of the SCCs, typically as a separate document appended to the main commercial contract.

‍Finally, document your transfer impact assessments and review them whenever the legal landscape changes. The data processor relationship and the SCC framework are actively supervised by the Data Protection Commission in Ireland, and demonstrating a thoughtful approach to international transfers is a core element of GDPR compliance that regulators will expect to see during any investigation or audit.

‍