What are Standard Contractual Clauses (SCCs) under GDPR?

Standard Contractual Clauses (SCCs) are model contracts approved by the EU Commission for transferring personal data to countries outside the EU/EEA ("third countries"). They are the most-used basis (GDPR Art. 46(2)(c)) for transfers to countries without an adequacy decision. New SCCs (2021): the EC published Decision 2021/914 on 4 June 2021 — all old SCCs are invalid since 27 Dec 2022 and had to be replaced. Four modules: (1) Controller-Controller, (2) Controller-Processor, (3) Processor-Processor, (4) Processor-Controller. Choose the correct module per relationship. Mandatory additions post-Schrems II: since that ruling (see our Schrems II article) you MUST perform a Transfer Impact Assessment (TIA): assess whether the destination country offers additional safeguards regarding government access. Without a TIA + supplementary measures, SCCs alone are no longer enough. Supplementary measures: encryption at rest + in transit, pseudonymisation, split keys, zero-access architectures. When SCCs don't work: if the destination country has surveillance law conflicting with EU rights essence (e.g. USA FISA 702 — found in Schrems II). Then you need additional technical + organisational measures, or another transfer basis. Practical: major US cloud providers (AWS, Google Cloud, Microsoft Azure) include SCCs + DPA in standard contracts. Since 2023 also EU-US Data Privacy Framework as additional route — but prepare for a Schrems III.