Standard Contractual Clauses

Standard contractual clauses (SCCs) are pre-approved legal templates issued by the European Commission that allow organizations to transfer personal data from the EU to countries outside the EU that don't have adequate data protection laws. They work as a contractual guarantee that the data will be protected according to EU standards, even when it leaves the Union.

Legal Basis

Standard contractual clauses are established under the GDPR as a mechanism for lawful international data transfers:

"The Commission may [...] adopt standard data protection clauses for the matters referred to in paragraph 2, point (c) and (d)."

— Article 46(2)(c) and 46(2)(d), Regulation (EU) 2016/679 (GDPR)

Why It Matters

Standard contractual clauses are essential for any organization involved in political advertising that processes personal data across borders. When political advertising services use targeting techniques or ad-delivery techniques that rely on personal data, and that data is transferred to countries outside the EU/EEA, SCCs provide the legal foundation for those transfers.

For publishers, providers of political advertising services, and sponsors working with international partners—such as cloud service providers in the United States, analytics platforms, or global advertising networks—SCCs are often the most practical tool to ensure GDPR compliance. Without proper transfer mechanisms like SCCs, transferring personal data outside the EU is unlawful and can result in significant penalties from data protection authorities.

The European Court of Justice has made clear that SCCs alone are not always sufficient. Organizations must also assess whether the destination country's laws might undermine the protections guaranteed by the clauses and, if necessary, implement additional safeguards.

Key Points

• Pre-approved templates: SCCs are drafted by the European Commission and cannot be modified in their substantive provisions, ensuring consistent protection standards
• Binding obligations: Both the data exporter (in the EU) and the data importer (outside the EU) are contractually bound to protect the data according to EU law
• Transfer impact assessment required: Organizations must assess whether the laws of the destination country might interfere with the guarantees provided by the SCCs
• Multiple versions available: Different sets of SCCs exist for different transfer scenarios (controller-to-controller, controller-to-processor, processor-to-processor)
• Alternative to adequacy decisions: SCCs are used when transferring data to countries that lack an EU adequacy decision (such as the United States post-Privacy Shield)
• Monitoring and compliance: Both parties must ensure ongoing compliance and may need to suspend or terminate transfers if protections cannot be guaranteed

Standard Contractual Clauses vs. Adequacy Decision

Standard contractual clauses and adequacy decisions are both legal mechanisms for transferring personal data outside the EU, but they work differently.

An adequacy decision is a formal determination by the European Commission that a specific country provides an essentially equivalent level of data protection to the EU. When an adequacy decision exists (such as for the EU-US Data Privacy Framework, the UK, or Canada), data can flow freely to that country without additional safeguards.

Standard contractual clauses, by contrast, are used when no adequacy decision exists. They are contractual agreements that require both parties to commit to specific data protection obligations. While SCCs provide flexibility and can be used for any third country, they require more active implementation, ongoing monitoring, and transfer impact assessments—whereas adequacy decisions simplify compliance by eliminating these additional steps.

Related Terms

• Personal Data
• Data Controller
• Data Processor
• GDPR
• Third Country
• Data Protection Authority
• Transfer Impact Assessment
• Adequacy Decision
• Binding Corporate Rules
• Data Subject Rights