What Are the EU's New Standard Contractual Clauses?

February 23, 2022

What are standard contractual clauses and why do they matter?

Standard contractual clauses (SCCs) are model clauses for data transfer agreements. They govern the cross-border transfer of personal data that businesses collect from customers (known as “data subjects”) located in the European Union.

These model clauses are used in data processing agreements (DPAs), which are contracts between data controllers and processors — respectively, the parties outsourcing customer data and the parties processing and analyzing it on their behalf.

SCCs are not optional. If your business has a presence in the European economic area and collects EU data, or if you handle customer information on behalf of businesses that do, then you are subject to the EU’s General Data Protection Regulation (GDPR). Both data exporters and data importers can face legal repercussions for non-compliance with the GDPR.

New standard contractual clauses and the EU’s GDPR

While the SCCs are data transfer mechanisms created to guide individual transactions, the GDPR is a broader regulatory framework created to promote data privacy for all EU citizens. It establishes standards for data processing, access, and security, and tough sanctions to be exacted by supervisory authorities for noncompliance.

Legal action under the GDPR has prompted a recent reform of the SCCs. In July 2020, the European Court of Justice (ECJ) issued what is known as the Schrems II” decision in the case of Data Protection Commissioner v. Facebook Ireland Ltd. The court examined the SCCs along with the EU-US Privacy Shield, which was created in 2016 to provide a framework for data transfers from the EU to the US.

The case originated with a complaint filed by activist Maximilian Schrems, alleging that the transfer of personal data from Facebook’s Ireland subsidiary to its US headquarters could expose that data to US intelligence agencies in contravention of the GDPR. The ECJ agreed, ruling that the old SCCs and the Privacy Shield didn’t do an adequate job of protecting EU customer data from government access.

However, while the court struck down the Privacy Shield framework, it ruled that the SCCs would still be viable data transfer mechanisms with the addition of new safeguards. In accordance with the ECJ’s decision, in June 2021, the European Commission released an updated version of the SCCs to address gaps and ambiguities in the prior version, provide guidance for a wider range of transfer scenarios, and bring the SCCs in line with the GDPR.

Important dates for SCC compliance

As of September 27, 2021, the previous version of the SCCs is no longer viable for new data transfers. Data controllers and data processors must use the updated version of the SCCs in all new DPAs.

Businesses also have to update existing contracts that are noncompliant with the new SCCs. Data controllers and processors transferring EU customer data have until December 27, 2022 to update all of the outdated clauses throughout their data transfer agreements.

Steps to keep your company on track

Updating an entire portfolio of DPAs may seem like a daunting task on top of all of the other work that a legal or compliance team needs to do to keep up with the GDPR and other jurisdictions’ data privacy regulations. However, it doesn’t have to be if you have the right tools and processes in place.

Here are some practical steps that teams can take to ensure that their organizations’ data transfer agreements are compliant with the new SCCs well in advance of the December deadline:

  1. Assemble all of the business’s DPAs and any other relevant contracts together in one place.
  2. Review all relevant clauses throughout the contract portfolio to identify (a) agreements that are already compliant with the new SCCs (which should include any contracts finalized since September 2021), (b) newly outdated clauses to update by December 2022, and (c) any provisions that were already noncompliant with the prior SCCs (hopefully none).
  3. Prepare standardized clauses that are compliant with the new SCCs, if you haven’t already done so for recent DPAs.
  4. Prioritize data transfer agreements to update, taking into account present compliance status and the risk exposure created by each noncompliant or soon-to-be noncompliant agreement.
  5. Communicate and work closely with all relevant stakeholders, including both internal teams and the business partners on the other side of the table.
  6. Update all of your noncompliant contracts with your new standard language, starting with the most urgent and working your way down to the least.
  7. Track your organization’s regulatory compliance on an ongoing basis after all parties have signed the newly revised agreements.

How Evisort supercharges contract compliance

If you’re relying on manual processes (spreadsheets, anyone?), and especially if you have a small legal or compliance team, then you might wonder where to start and whether you can meet that looming deadline.

Don’t panic: Evisort is here for you. Evisort’s best-in-class machine learning and natural language processing software helps lean teams efficiently organize contracts, identify compliant and noncompliant language throughout their portfolios, create standardized clause and agreement templates, and generate and execute new agreements.

Here’s what you can do when you use Evisort’s market-defining contract intelligence for regulatory compliance and risk management:

Remediate efficiently and collaboratively

Centralize your entire contract portfolio without having to migrate a single document. Create a single source of truth where you can triage and update agreements without any manual data entry or spending precious money and time on outsourced providers.

Draft templates, amendments, and new DPAs based on your ideal language, including the new SCCs. Enforce version control while negotiating with your counterparties, and have everyone sign electronically — all from one end-to-end platform.

Answer questions immediately

Find any clause in seconds, regardless of how it’s labeled. Get automated reports and notifications on your data privacy obligations. Locate key clauses and identify compliance gaps so you can analyze your business’s risk exposure. Track which contracts have been executed and which haven’t so you don’t leave any loose ends.

Respond promptly to breaches

Automatically track every notice obligation so you’ll know exactly what to do in the event of a data breach. When you already know every deadline, you’ll have one fewer fire drill to worry about in an emergency.

Adapt confidently

Identify both compliant and noncompliant clauses throughout your entire contract database. Retroactively track clauses related to data privacy regulations, no matter how many years of agreements you have in place.

Leverage standardized data privacy language for every new contract, whether it’s on your template or third-party paper. Give yourself the time and tools you need to review all of your agreements as other new regulations come into play.

Evisort’s powerful AI helps businesses navigate new regulations confidently instead of just trying to stay afloat.

Meeting regulatory deadlines doesn’t need to be intimidating or uncertain. Want to learn more about bolstering your compliance initiatives with contract intelligence? Watch our webinar with data privacy and compliance expert Debbie Reynolds.


What are standard contractual clauses and why do they matter?

Standard contractual clauses (SCCs) are model clauses for data transfer agreements. They govern the cross-border transfer of personal data that businesses collect from customers (known as “data subjects”) located in the European Union.

These model clauses are used in data processing agreements (DPAs), which are contracts between data controllers and processors — respectively, the parties outsourcing customer data and the parties processing and analyzing it on their behalf.

SCCs are not optional. If your business has a presence in the European economic area and collects EU data, or if you handle customer information on behalf of businesses that do, then you are subject to the EU’s General Data Protection Regulation (GDPR). Both data exporters and data importers can face legal repercussions for non-compliance with the GDPR.

New standard contractual clauses and the EU’s GDPR

While the SCCs are data transfer mechanisms created to guide individual transactions, the GDPR is a broader regulatory framework created to promote data privacy for all EU citizens. It establishes standards for data processing, access, and security, and tough sanctions to be exacted by supervisory authorities for noncompliance.

Legal action under the GDPR has prompted a recent reform of the SCCs. In July 2020, the European Court of Justice (ECJ) issued what is known as the Schrems II” decision in the case of Data Protection Commissioner v. Facebook Ireland Ltd. The court examined the SCCs along with the EU-US Privacy Shield, which was created in 2016 to provide a framework for data transfers from the EU to the US.

The case originated with a complaint filed by activist Maximilian Schrems, alleging that the transfer of personal data from Facebook’s Ireland subsidiary to its US headquarters could expose that data to US intelligence agencies in contravention of the GDPR. The ECJ agreed, ruling that the old SCCs and the Privacy Shield didn’t do an adequate job of protecting EU customer data from government access.

However, while the court struck down the Privacy Shield framework, it ruled that the SCCs would still be viable data transfer mechanisms with the addition of new safeguards. In accordance with the ECJ’s decision, in June 2021, the European Commission released an updated version of the SCCs to address gaps and ambiguities in the prior version, provide guidance for a wider range of transfer scenarios, and bring the SCCs in line with the GDPR.

Important dates for SCC compliance

As of September 27, 2021, the previous version of the SCCs is no longer viable for new data transfers. Data controllers and data processors must use the updated version of the SCCs in all new DPAs.

Businesses also have to update existing contracts that are noncompliant with the new SCCs. Data controllers and processors transferring EU customer data have until December 27, 2022 to update all of the outdated clauses throughout their data transfer agreements.

Steps to keep your company on track

Updating an entire portfolio of DPAs may seem like a daunting task on top of all of the other work that a legal or compliance team needs to do to keep up with the GDPR and other jurisdictions’ data privacy regulations. However, it doesn’t have to be if you have the right tools and processes in place.

Here are some practical steps that teams can take to ensure that their organizations’ data transfer agreements are compliant with the new SCCs well in advance of the December deadline:

  1. Assemble all of the business’s DPAs and any other relevant contracts together in one place.
  2. Review all relevant clauses throughout the contract portfolio to identify (a) agreements that are already compliant with the new SCCs (which should include any contracts finalized since September 2021), (b) newly outdated clauses to update by December 2022, and (c) any provisions that were already noncompliant with the prior SCCs (hopefully none).
  3. Prepare standardized clauses that are compliant with the new SCCs, if you haven’t already done so for recent DPAs.
  4. Prioritize data transfer agreements to update, taking into account present compliance status and the risk exposure created by each noncompliant or soon-to-be noncompliant agreement.
  5. Communicate and work closely with all relevant stakeholders, including both internal teams and the business partners on the other side of the table.
  6. Update all of your noncompliant contracts with your new standard language, starting with the most urgent and working your way down to the least.
  7. Track your organization’s regulatory compliance on an ongoing basis after all parties have signed the newly revised agreements.

How Evisort supercharges contract compliance

If you’re relying on manual processes (spreadsheets, anyone?), and especially if you have a small legal or compliance team, then you might wonder where to start and whether you can meet that looming deadline.

Don’t panic: Evisort is here for you. Evisort’s best-in-class machine learning and natural language processing software helps lean teams efficiently organize contracts, identify compliant and noncompliant language throughout their portfolios, create standardized clause and agreement templates, and generate and execute new agreements.

Here’s what you can do when you use Evisort’s market-defining contract intelligence for regulatory compliance and risk management:

Remediate efficiently and collaboratively

Centralize your entire contract portfolio without having to migrate a single document. Create a single source of truth where you can triage and update agreements without any manual data entry or spending precious money and time on outsourced providers.

Draft templates, amendments, and new DPAs based on your ideal language, including the new SCCs. Enforce version control while negotiating with your counterparties, and have everyone sign electronically — all from one end-to-end platform.

Answer questions immediately

Find any clause in seconds, regardless of how it’s labeled. Get automated reports and notifications on your data privacy obligations. Locate key clauses and identify compliance gaps so you can analyze your business’s risk exposure. Track which contracts have been executed and which haven’t so you don’t leave any loose ends.

Respond promptly to breaches

Automatically track every notice obligation so you’ll know exactly what to do in the event of a data breach. When you already know every deadline, you’ll have one fewer fire drill to worry about in an emergency.

Adapt confidently

Identify both compliant and noncompliant clauses throughout your entire contract database. Retroactively track clauses related to data privacy regulations, no matter how many years of agreements you have in place.

Leverage standardized data privacy language for every new contract, whether it’s on your template or third-party paper. Give yourself the time and tools you need to review all of your agreements as other new regulations come into play.

Evisort’s powerful AI helps businesses navigate new regulations confidently instead of just trying to stay afloat.

Meeting regulatory deadlines doesn’t need to be intimidating or uncertain. Want to learn more about bolstering your compliance initiatives with contract intelligence? Watch our webinar with data privacy and compliance expert Debbie Reynolds.