Standard Contractual Clauses, often called SCCs, are one of the legal tools used to support certain international data transfers under the UK GDPR. They are especially relevant where personal data is sent outside the UK and no adequacy decision applies.
Standard Contractual Clauses (SCCs) are a legal safeguard used to support certain international data transfers under the UK GDPR. They are most relevant where personal data is being sent outside the UK and no adequacy decision applies. In practice, SCCs are used to create binding contractual protections between organisations so personal data continues to receive an appropriate level of protection.
Main focus
Contractual safeguards for restricted international transfers
Works with
UK GDPR transfer rules, accountability, and transfer risk review
Usually relevant when
Using overseas vendors, cloud platforms, or international group entities
SCCs are one of the main safeguards used under the UK GDPR transfer mechanisms framework. They are designed for situations where personal data is being transferred to a country outside the UK and the destination is not covered by adequacy regulations. SCCs do not replace the wider transfer rules, but help organisations put legally recognised contractual protections in place.
SCCs are most relevant where a transfer is a restricted transfer under the UK GDPR international transfers rules.
SCCs impose contractual obligations intended to protect personal data after it leaves the UK and is handled by another legal entity.
SCCs are usually best understood as one part of the broader international transfers framework, rather than as a complete transfer solution on their own.
In practice, SCCs are used when personal data is being transferred outside the UK and the organisation needs a recognised safeguard under the UK GDPR. They often arise in four situations that many organisations encounter during normal supplier, software, or group-company arrangements.
A UK organisation may need SCCs where it appoints a processor located outside the UK, especially in SaaS or cloud environments. See also data controllers and data processors under UK GDPR.
A transfer can happen where personal data is made accessible to a separate legal entity outside the UK, even if the systems themselves are not physically moved.
SCCs become particularly relevant where there is no adequacy decision covering the destination country and the organisation needs another lawful transfer mechanism.
One of the most common points of confusion is whether SCCs are enough on their own. In reality, they sit within the wider UK GDPR transfer framework. SCCs help create contractual safeguards, but organisations must still assess their transfer arrangements, maintain records, and comply with broader duties such as accountability and transparency.
SCCs are primarily about creating binding contractual obligations between the transferring organisation and the overseas recipient. They are part of the legal mechanism supporting the transfer.
Even where SCCs are used, organisations still need to think about personal data flows, processor arrangements, governance, records, and in some cases transfer risk and broader privacy impacts.
A useful way to approach SCCs is to treat them as the contractual safeguard inside the wider international transfer regime. They are important, but they work best when supported by proper mapping, governance, and review. For the bigger picture, see UK GDPR transfer mechanisms explained.
Many SCC problems do not come from deliberate misuse. They usually happen because organisations assume the clauses alone are enough, or because they do not fully understand the wider transfer framework explained in the ICO’s January 2026 guidance refresh and in our guide to international data transfers under UK GDPR.
Organisations sometimes put clauses in place without first confirming whether a restricted transfer is actually taking place and who the receiving legal entity is.
SCCs are important, but they sit within a wider compliance framework that includes governance, contracts, records, and review.
Transfers involving processors and sub-processors can become complicated quickly, especially where several suppliers are involved across multiple countries.
As supplier arrangements, systems, or guidance change, organisations should review whether their transfer documentation and internal records still reflect reality.
International transfer risk often builds quietly through normal supplier relationships, software use, and operational growth. That is why SCC compliance is usually less about one document in isolation and more about keeping the surrounding governance accurate, practical, and up to date.
This article is based on ICO guidance on international data transfers, restricted transfers, and recognised safeguards, together with relevant UK GDPR provisions that shape how accountability, transparency, and controller and processor arrangements work in practice. For recent regulatory developments affecting transfer rules and regulator expectations, see our updates on ICO International Transfers Guidance Refresh and DUAA data protection changes commence and ICO guidance updates.
Use the glossary for key terms, or download the checklist if you want a practical starting point for reviewing supplier arrangements, transfer safeguards, and wider GDPR compliance.
