SCCs — Standard Contractual Clauses
Standard Contractual Clauses are sets of pre-approved contractual terms adopted by the European Commission under GDPR Article 46 that provide an appropriate safeguard for transferring personal data from the EU or EEA to third countries that do not benefit from an adequacy decision. When a controller or processor sends personal data to a recipient in, for example, the United States, India, or the Philippines, they need a legal mechanism to ensure the data will be protected to the EU standard at destination. SCCs are by far the most commonly used such mechanism for commercial transfers. The current EU SCCs were adopted by the European Commission on 4 June 2021, replacing the previous 2001 and 2010 clauses. They are structured in four modules: Module 1 covers controller-to-controller transfers; Module 2 covers controller-to-processor transfers; Module 3 covers processor-to-processor transfers; and Module 4 covers processor-to-controller transfers. Organisations select the module or combination of modules appropriate to their transfer relationship and incorporate the clauses — without modification to the pre-approved text — into their contracts. The SCCs may be supplemented with additional clauses provided the additions do not contradict the SCCs or undermine the fundamental rights of data subjects. Following the Schrems II judgment of the Court of Justice in July 2020, reliance on SCCs alone is no longer automatically sufficient. Controllers must conduct a Transfer Impact Assessment (TIA) for each third country involved, evaluating whether the law and practice of the destination country — particularly government access powers — would prevent the SCCs from being effective in practice. Where the TIA reveals a shortfall, supplementary technical measures such as end-to-end encryption or pseudonymisation may need to be implemented before the transfer can proceed. For an EU SME using US-based SaaS tools, cloud services, or analytics platforms, SCCs combined with a TIA are typically the primary legal mechanism for the data flows involved. Transferring personal data to a third country without an adequate safeguard in place is a violation attracting fines of up to €20 million or 4% of global annual turnover. See the GDPR compliance guide at eurocomply.app/regulations/gdpr
Official regulation guide
GDPR Compliance Guide →Related terms
GDPR
The General Data Protection Regulation (Regulation (EU) 2016/679) is the cornerstone of EU data protection law, replacing the 1995 Data Protection Directive and entering into force on 25 May 2018. It applies to any organisation — regardless of where it is established — that processes personal data of individuals residing in the European Union or European Economic Area. Personal data means any information that can identify a living person, directly or indirectly: a name, an email address, an IP address, a cookie identifier, or a combination of attributes that singles someone out. The regulation is built on seven foundational principles set out in Article 5: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Accountability is the principle that distinguishes GDPR from its predecessor — organisations must be able to demonstrate compliance, not merely assert it. For an EU SME, GDPR creates concrete operational obligations. You need a documented lawful basis for every processing activity (Article 6), a privacy notice that meets the transparency requirements of Articles 13 and 14, a mechanism to respond to data subject requests within one month (Articles 15–22), and a procedure for notifying your national Data Protection Authority of a personal data breach within 72 hours (Article 33). If your processing is high-risk, you must complete a Data Protection Impact Assessment before starting (Article 35). The consequences of getting it wrong are severe. The supervisory authority in your member state can impose administrative fines of up to €10 million or 2% of global annual turnover for violations of organisational requirements such as missing records or inadequate processor contracts. The upper tier — up to €20 million or 4% of global annual turnover, whichever is higher — applies to breaches of the fundamental principles, lack of lawful basis, or violations of data subject rights. These percentages apply to the entire corporate group's worldwide revenue, not just the entity in breach. Beyond fines, supervisory authorities can issue temporary or permanent bans on processing, which can be existential for data-dependent businesses. See the GDPR compliance guide at eurocomply.app/regulations/gdpr
Data Controller
Under GDPR Article 4(7), a data controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. The key distinguishing feature is decision-making power: if your organisation decides why data is being collected and how it is going to be used, you are the controller for that processing activity. Being a controller is not about physically holding data — a company that instructs a cloud provider to store customer records remains the controller even though the servers belong to someone else. Controllers bear the primary compliance burden under GDPR. They must identify and document a lawful basis for each processing purpose under Article 6 (and Article 9 for special category data), provide transparent information to individuals at the point of collection under Articles 13 and 14, maintain a Record of Processing Activities under Article 30, implement appropriate technical and organisational measures under Article 32, notify their supervisory authority of data breaches within 72 hours under Article 33, and respond to data subject requests within one month under Articles 15 to 22. Where they engage processors, controllers must enter into written Data Processing Agreements under Article 28 and restrict processor choices to those offering sufficient guarantees of compliance. Joint controllers — where two or more organisations jointly determine the purposes and means of processing — must enter into an arrangement under Article 26 that allocates GDPR responsibilities between them and designates a point of contact for data subjects. This is common in affiliate marketing, co-branding, and platform ecosystems. For an EU SME, being miscategorised as a processor when you are actually a controller is a serious compliance risk. Regulators look at substance over label: if a contract says you are a processor but your operational reality involves deciding how customer data is used, you will be treated as a controller. Administrative fines for controller violations can reach €20 million or 4% of global annual turnover, and supervisory authorities can prohibit processing entirely — a potentially business-ending outcome. See the GDPR compliance guide at eurocomply.app/regulations/gdpr
Data Processor
Under GDPR Article 4(8), a data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. The hallmark of a processor is that it acts on instructions: it does not decide why personal data is processed or set the purposes — that authority belongs to the controller. A payroll bureau processing employee data for a company, a cloud provider storing a SaaS customer's database, and an email delivery platform sending marketing messages are all classic examples of processors. Processors have a narrower but still binding set of GDPR obligations. They may only process personal data on documented instructions from the controller, must ensure that anyone with access to personal data is bound by confidentiality, must implement appropriate technical and organisational measures under Article 32, must assist the controller in fulfilling data subject requests and breach notification obligations, must delete or return data at the end of the service relationship, and must make available all information necessary to demonstrate compliance. Under Article 28(2), processors may not engage a sub-processor without prior specific or general written authorisation from the controller, and must flow down equivalent obligations to any sub-processor they appoint. A written Data Processing Agreement (DPA) is mandatory under Article 28. The DPA must specify the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects; the obligations and rights of the controller; and the technical and organisational measures to be maintained. Absent a compliant DPA, both parties are exposed to regulatory action. For an EU SME acting as a processor — for example, providing SaaS software to business customers — you must be prepared to sign customer DPAs, maintain your own records of processing, manage sub-processor chains, and assist customers with breach response. Processors face direct regulatory liability for breaches of their specific Article 28 obligations and for acting outside or contrary to the controller's instructions, with fines reaching €10 million or 2% of global annual turnover. See the GDPR compliance guide at eurocomply.app/regulations/gdpr
DPA — Data Protection Authority
Each EU member state has a national Data Protection Authority — an independent public body responsible for monitoring and enforcing compliance with GDPR and related data protection legislation, advising the public and organisations, and cooperating with its counterparts across the EU. The GDPR refers to these bodies as supervisory authorities; DPA is the common shorthand used in practice. Well-known examples include the CNIL in France, the BfDI in Germany, the Datatilsynet in Denmark and Norway, the Garante in Italy, and the Data Protection Commission (DPC) in Ireland. The UK's Information Commissioner's Office (ICO) performs the same function but operates under UK GDPR following Brexit. For cross-border processing — where an organisation processes personal data of individuals in more than one EU member state — the one-stop-shop mechanism under Article 56 designates a single lead supervisory authority based on where the organisation has its main establishment (usually its EU headquarters or the place where decisions about processing are taken). Other concerned supervisory authorities in member states where individuals are affected can cooperate and object under Articles 60 and 65 if they disagree with the lead authority's draft decision. DPAs have significant investigative powers: they can conduct audits, demand access to premises and processing systems, compel production of documents, carry out data protection sweeps, and initiate own-initiative investigations based on complaints or media reports. Their corrective powers include issuing warnings and reprimands, ordering compliance, imposing temporary or permanent bans on processing, and imposing administrative fines. They can also order data to be erased, rectified, or not transferred to third countries. For an EU SME, your lead supervisory authority is the DPA in the member state where your EU establishment is located. If you have no EU establishment but target EU residents, the DPA of the member state in which you have a representative under Article 27 is your primary point of contact. Engaging proactively with your DPA — for example, seeking prior consultation under Article 36 before high-risk processing — is a legitimate risk management strategy and demonstrates the accountability the regulation requires. See the GDPR compliance guide at eurocomply.app/regulations/gdpr