GDPR Docs

Standard Contractual Clauses (SCCs) for SaaS CompaniesA Practical Guide to GDPR Cross-Border Data Transfersfor Cloud and Software-as-a-Service Providers

March 2026 … min read

This guide explains Standard Contractual Clauses (SCCs) as they apply to SaaS businesses that transfer personal data outside the European Economic Area. It covers the legal foundations, modular structure, Transfer Impact Assessments, the relationship between SCCs and the EU-US Data Privacy Framework, and practical implementation steps. The document is designed to help SaaS legal, compliance, and product teams understand their obligations and build compliant international data transfer programs.

Introduction

The global nature of cloud computing means that Software-as-a-Service (SaaS) providers routinely transfer personal data across national borders. Under the European Union's General Data Protection Regulation (GDPR), any transfer of personal data from the European Economic Area (EEA) to a country that has not received an adequacy decision from the European Commission must be supported by an appropriate safeguard. Standard Contractual Clauses (SCCs) are the most widely used of these safeguards.

For SaaS companies, SCCs are not merely a legal formality. They define the contractual backbone of international data processing relationships, set binding obligations on both data exporters and data importers, and require documented assessments of the legal environment in every destination country. Getting SCCs right is essential for regulatory compliance, enterprise sales readiness, and customer trust.

This guide provides a comprehensive overview of SCCs, tailored specifically to the operational realities of SaaS businesses. It covers the legal theory, the modular clause structure, Transfer Impact Assessments (TIAs), the interplay with the EU-US Data Privacy Framework (DPF), upcoming regulatory changes, and practical checklists for implementation.

What Are Standard Contractual Clauses?

Definition and Legal Basis

Standard Contractual Clauses are pre-approved model contract terms issued by the European Commission. They function as a transfer mechanism under Article 46(2)(c) of the GDPR, enabling organisations to lawfully transfer personal data to countries outside the EEA that have not been recognised as providing adequate data protection. By incorporating SCCs into a contract, both the data exporter and the data importer agree to be bound by specific data protection obligations that are designed to provide a level of protection essentially equivalent to that guaranteed within the EU.

Historical Evolution

The concept of model contractual clauses for data transfers predates the GDPR. The first set was introduced under the EU Data Protection Directive (95/46/EC) in 2001, with updates in 2004 and 2010. These earlier versions were designed around simpler data flows and binary relationships between controllers.

On 4 June 2021, the European Commission adopted the current modernised SCCs, replacing all three legacy sets. The 2021 SCCs introduced a modular structure that reflects the complexity of modern data processing chains, including processor-to-processor transfers. Organisations were required to use the new SCCs for all new contracts from 27 September 2021 and had until 27 December 2022 to transition existing agreements.

Year	Development
2001	First SCCs adopted under Directive 95/46/EC (controller-to-controller transfers)
2004	Second set of SCCs offering greater flexibility for controller-to-controller transfers
2010	Third set introduced for controller-to-processor transfers
2018	GDPR enters into force, requiring enhanced transfer safeguards
2020	Schrems II ruling invalidates EU-US Privacy Shield; SCCs upheld but with additional obligations
2021	European Commission adopts modernised SCCs with four-module structure (4 June 2021)
2023	EU-US Data Privacy Framework adequacy decision adopted (10 July 2023)
2025	EU General Court upholds DPF validity; European Commission begins public consultation on updated SCCs for importers directly subject to GDPR

When Are SCCs Required?

SCCs are required whenever personal data is transferred from the EEA to a third country that does not benefit from an adequacy decision, and no other valid transfer mechanism (such as Binding Corporate Rules or an applicable derogation under Article 49 GDPR) is in place. For SaaS companies, the most common scenarios include:

• Customer data processing: An EU-based customer (data exporter/controller) engages a SaaS provider hosted in the US or another non-adequate country (data importer/processor).

• Sub-processor chains: The SaaS provider itself relies on cloud infrastructure (e.g., AWS, Google Cloud, Azure) with data centres in non-adequate jurisdictions.

• Internal group transfers: A SaaS company with EU subsidiaries transfers employee or customer data to its non-EU headquarters.

• Remote access: Engineers or support teams located outside the EEA access personal data stored within EU data centres.

The Modular Structure of the 2021 SCCs

One of the most significant innovations of the 2021 SCCs is their modular design. Rather than offering a single set of clauses for all situations, the Commission created four modules that map to different exporter-importer relationship types. Parties select the module that corresponds to their specific data transfer scenario.

Module	Exporter Role	Importer Role	Typical SaaS Scenario
Module 1	Controller	Controller	EU business shares customer data with a non-EU analytics partner that independently determines processing purposes
Module 2	Controller	Processor	EU customer (controller) engages a US-based SaaS provider (processor) to process personal data on its behalf
Module 3	Processor	Sub-processor	SaaS provider (processor) transfers customer data to a cloud hosting sub-processor in a non-adequate country
Module 4	Processor	Controller	Non-EU SaaS provider returns processed data to an EU controller or transfers to a third-country controller directing the processing

Module 2: The Core SaaS Module

Module 2 (controller to processor) is the most relevant for SaaS providers. In a typical arrangement, an EU-based customer acts as the data controller, and the SaaS provider, often based in the United States or another non-adequate country, acts as the data processor. Module 2 includes obligations covering:

• Purpose limitation: The processor may only process personal data on documented instructions from the controller.

• Security measures: Both parties must implement appropriate technical and organisational measures detailed in the SCC annexes.

• Sub-processing: The processor must obtain prior specific or general written authorisation before engaging sub-processors, and must impose equivalent obligations on them.

• Data subject rights: The processor must assist the controller in responding to data subject access, rectification, erasure, and portability requests.

• Audit rights: The controller (or an independent auditor mandated by the controller) may audit the processor's compliance with the SCCs.

Module 3: Sub-processor Transfers

Module 3 governs processor-to-sub-processor transfers. This module is critical for SaaS companies that rely on third-party infrastructure providers, payment processors, or other downstream service providers located outside the EEA. The SaaS provider, acting as the initial processor, must ensure that each sub-processor is bound by equivalent data protection obligations and must make the sub-processing agreement available to the controller on request.

Key Obligations Under the SCCs

The 2021 SCCs impose a structured set of obligations on both exporters and importers. The European Commission has published detailed Questions and Answers on the use of the SCCs. The following table summarises the principal clauses and their operational significance for SaaS businesses.

SCC Clause	Obligation Summary	SaaS Relevance
Clause 8: Data Protection Safeguards	Defines processing instructions, purpose limitation, data minimisation, and security measures	Maps directly to the Data Processing Agreement (DPA) that SaaS providers include in their Terms of Service
Clause 9: Sub-processor Management	Requires written authorisation for sub-processors and equivalent contractual obligations	SaaS providers must maintain and publish a sub-processor list and have a notification/objection mechanism
Clause 10: Data Subject Rights	Importer must assist exporter in fulfilling data subject requests	SaaS product must support data export, deletion, and access request workflows
Clause 11: Redress	Data subjects may invoke clauses as third-party beneficiaries	Requires a clear complaint-handling process documented in the DPA
Clause 12: Liability	Parties are liable to data subjects for breaches of the SCCs	Liability allocation must be reflected in commercial contracts and insurance coverage
Clause 13: Supervision	Supervisory authority of the exporter has jurisdiction	SaaS providers must cooperate with EU data protection authorities when required
Clause 14: Transfer Impact Assessment	Parties must assess whether local laws undermine the effectiveness of the SCCs	Requires documented TIA for each destination country (see Section 5)
Clause 15: Government Access	Importer must notify exporter of legally binding government data access requests (where permitted)	SaaS providers need an internal policy and transparency report for government access requests
Clause 16: Non-compliance	Importer must promptly inform exporter if unable to comply with the SCCs	Triggers incident response processes and may require suspending data transfers

Transfer Impact Assessments (TIAs)

What Is a TIA?

A Transfer Impact Assessment is a documented evaluation of whether the legal framework in the data importer's country provides a level of protection that is essentially equivalent to that guaranteed under EU law. The obligation to conduct a TIA stems from Clause 14 of the 2021 SCCs and from the Court of Justice of the European Union's Schrems II ruling (Case C-311/18, July 2020). Without a documented TIA, the SCCs are not considered valid, and the underlying data transfer is unlawful.

When Is a TIA Required?

A TIA must be conducted before commencing any data transfer that relies on SCCs as the transfer mechanism. However, a TIA is not required in two situations:

• Adequacy decisions: Transfers to countries covered by a European Commission adequacy decision (such as the United Kingdom, Japan, South Korea, Israel, and Switzerland) do not require SCCs or a TIA.

• EU-US Data Privacy Framework: Transfers to US organisations that are certified under the EU-US Data Privacy Framework do not require a TIA, as the DPF operates under its own adequacy decision.

Step-by-Step TIA Process

The EDPB Recommendations 01/2020 set out a six-step methodology that serves as the standard framework for conducting a TIA. France's CNIL has also published a practical guide to assist data exporters. The following table outlines each step with practical guidance for SaaS companies.

Step	Action	SaaS Implementation Guidance
Step 1	Map your data transfers	Document all flows: which personal data categories leave the EEA, to which countries, via which SaaS product features and infrastructure components
Step 2	Identify the transfer tool	Confirm which SCC module applies (typically Module 2 for controller-to-processor or Module 3 for processor-to-sub-processor)
Step 3	Assess destination-country laws	Evaluate surveillance legislation, government access powers, judicial oversight, and available legal remedies in each destination country (e.g., FISA 702 and EO 14086 for the US)
Step 4	Identify supplementary measures	Determine whether additional technical (encryption, pseudonymisation), organisational (access controls, training), or contractual measures are needed
Step 5	Implement procedural steps	Formally adopt supplementary measures, update contracts and DPAs, and obtain necessary internal approvals
Step 6	Re-evaluate at intervals	Monitor legal developments and re-assess at least annually or when significant changes occur in destination-country laws

Supplementary Measures

If the TIA reveals that the destination country's legal framework may compromise the effectiveness of the SCCs, supplementary measures must be implemented. The EDPB categorises these as follows:

Category	Examples	Effectiveness for SaaS
Technical Measures	End-to-end encryption, pseudonymisation, key management under exporter control, split processing	Strong where importer does not need access to data in the clear. Limited for SaaS providers that must process plaintext data to deliver the service
Organisational Measures	Internal access controls, staff vetting, security certifications (ISO 27001, SOC 2), transparency reports	Helpful as supporting evidence in TIA documentation but generally not considered sufficient on their own
Contractual Measures	Commitments to challenge government access orders, notification obligations, warrant canary clauses	Useful to demonstrate good faith but cannot override mandatory local law

Important note: If the SaaS provider needs to access data in the clear (for example, to perform analytics, run machine learning models, or render application interfaces), encryption alone will not prevent government access. In these cases, a combination of technical, organisational, and contractual measures is typically required, and organisations may also need to consider EU-based processing alternatives.

SCCs and the EU-US Data Privacy Framework

Overview of the DPF

On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF allows US organisations that self-certify with the US Department of Commerce to receive personal data from the EEA without requiring SCCs or any other transfer mechanism. As of late 2025, over 3,400 US organisations have self-certified under the DPF.

In September 2025, the EU General Court dismissed a legal challenge to the DPF (Case T-553/23, Latombe v Commission), confirming the validity of the adequacy decision for the time being. However, privacy advocacy organisations continue to signal that further legal challenges are likely, and a referral to the full Court of Justice of the European Union (CJEU) remains possible.

DPF vs SCCs: Choosing the Right Mechanism

Factor	DPF	SCCs
Geographic Scope	US only	Any non-adequate third country
TIA Requirement	Not required	Required for each destination country
Compliance Burden	Annual self-certification, adherence to DPF principles	Contract execution, TIA documentation, supplementary measures, ongoing monitoring
Legal Stability	Subject to future legal challenge; two prior frameworks were invalidated by the CJEU	Upheld by the CJEU as valid in principle; less vulnerable to single-point invalidation
Best Practice	Use DPF as primary mechanism for US transfers	Maintain SCCs as a fallback alongside the DPF to ensure continuity if the adequacy decision is revoked

Why SaaS Companies Should Maintain Both

The history of EU-US data transfer frameworks suggests that relying on a single mechanism carries significant risk. Both the Safe Harbor agreement (invalidated in 2015) and the Privacy Shield (invalidated in 2020) were struck down with immediate effect and no transition period. A prudent SaaS company will maintain SCCs alongside the DPF so that, if the adequacy decision is ever withdrawn or invalidated, data transfers can continue without disruption.

Additionally, the European Commission's adequacy decision explicitly acknowledges that the safeguards introduced by US Executive Order 14086 apply to all data transfers to the US, regardless of the transfer tool used. As Baker McKenzie has noted, this means that SaaS companies relying on SCCs for US transfers can reference the Commission's findings in their TIAs, simplifying the assessment process considerably.

Upcoming Regulatory Developments

New SCCs for Importers Subject to GDPR

The current 2021 SCCs were designed for scenarios in which the data importer is not directly subject to the GDPR. However, many SaaS providers based outside the EEA are in fact directly subject to the GDPR under Article 3(2) because they offer goods or services to individuals in the EU or monitor their behaviour. The EDPB highlighted this gap in its 2023 Guidance, identifying 12 scenarios in which the existing SCCs either did not apply or provided insufficient coverage.

In response, the European Commission launched a public consultation in late 2024 and has been developing an additional set of SCCs to cover this scenario. These updated clauses are expected to supplement (not replace) the existing four modules. SaaS providers that are directly subject to GDPR should monitor this development closely, as it may require updates to existing contracts.

EU Data Act: Cloud Computing SCCs

Separately from the GDPR transfer SCCs, the EU Data Act (Regulation 2023/2854) requires the European Commission to develop non-binding SCCs specifically for cloud computing contracts by 12 September 2025. These cloud computing SCCs will address commercial contract terms such as information security, business continuity, liability, and termination rights. Early drafts suggest the clauses may depart significantly from current market norms for cloud contracting. While non-binding, they are expected to influence procurement decisions and serve as a benchmark for fairness in cloud and SaaS agreements.

Brazil and Other Jurisdictions

The EU is not the only jurisdiction requiring SCCs. Brazil's data protection authority (ANPD) issued its own SCC template in 2024, with a compliance deadline of 23 August 2025. The Brazilian SCCs are currently the only immediately available mechanism (aside from individual consent) for legally transferring personal data of Brazilian residents abroad under the LGPD. SaaS companies with Brazilian users or employees should evaluate whether they need to adopt Brazilian SCCs in addition to EU SCCs. Other jurisdictions, including China and India, are also developing or have adopted their own standard contract frameworks for international data transfers.

Practical Implementation for SaaS Companies

Step-by-Step Implementation Roadmap

1. Map all international data transfers. Identify every flow of personal data that leaves the EEA, including customer data, employee data, and metadata. Include transfers to cloud infrastructure providers, analytics tools, support platforms, and payment processors.

2. Classify each transfer by module. Determine whether each transfer falls under Module 1, 2, 3, or 4 based on the roles of the parties involved.

3. Execute SCCs with all relevant counterparties. Incorporate the appropriate SCC module into your Data Processing Agreements or as a standalone annex to your service agreements.

4. Complete Transfer Impact Assessments. Conduct and document a TIA for each destination country. Reference the European Commission's adequacy findings where applicable (e.g., EO 14086 for US transfers).

5. Implement supplementary measures where required. Deploy appropriate technical, organisational, and contractual safeguards based on your TIA findings.

6. Complete SCC Annexes with specificity. Annex I (transfer details), Annex II (technical and organisational measures), and Annex III (sub-processor list) must contain accurate and detailed information, not generic boilerplate.

7. Establish a sub-processor management process. Maintain a current, publicly accessible list of sub-processors. Implement a notification and objection mechanism for customers.

8. Build product features to support compliance. Ensure your SaaS product supports data subject access requests, data export, deletion, and portability.

9. Train relevant teams. Legal, security, engineering, and customer success teams should understand their SCC-related obligations.

10. Schedule periodic reviews. Re-evaluate TIAs at least annually or upon material changes in destination-country legislation or your sub-processor landscape.

SCC Compliance Checklist

Item	Owner	Frequency
Data transfer mapping and register	Privacy/Legal	Ongoing
SCC module selection per transfer	Legal	Per new transfer
SCC execution in DPAs/contracts	Legal/Sales	Per contract
Transfer Impact Assessment	Privacy/Legal	Annual + trigger-based
Supplementary measures implementation	Security/Engineering	As required by TIA
SCC Annex I, II, III completion	Legal/Security	Per contract
Sub-processor list publication	Legal/Ops	Ongoing
Customer notification mechanism	Product/Legal	Per sub-processor change
Data subject rights workflows in product	Product/Engineering	Continuous
Government access request policy	Legal/Compliance	Annual review
Staff training on SCC obligations	HR/Legal	Annual
Regulatory change monitoring	Legal/Compliance	Ongoing

Common Mistakes and How to Avoid Them

Common Mistake	Recommended Approach
Treating SCCs as a formality and filing them without completing annexes	Complete all annexes with specific, accurate information about data categories, security measures, and sub-processors
Failing to conduct or document a Transfer Impact Assessment	Prepare a formal TIA for each destination country before transferring data and retain it as part of your GDPR accountability records
Using the wrong SCC module for the data transfer scenario	Analyse the legal roles of each party (controller, processor, sub-processor) and select the corresponding module
Relying solely on the DPF without maintaining SCCs as a fallback	Adopt a dual-mechanism approach: DPF as the primary tool for US transfers, SCCs as a contingency
Neglecting to update SCCs when sub-processors change	Maintain a living sub-processor register and update SCC Annex III and customer notifications when changes occur
Using generic security descriptions in Annex II	Describe actual technical and organisational measures in detail: encryption standards, access control models, incident response procedures
Assuming encryption alone satisfies supplementary measure requirements	If the SaaS provider processes data in the clear, combine encryption with organisational and contractual measures or consider EU-based processing
Not monitoring changes in destination-country laws	Assign responsibility for regulatory monitoring and schedule annual TIA reviews with trigger-based reassessments

UK-Specific Considerations

Following Brexit, the United Kingdom operates under its own data protection framework (UK GDPR and the Data Protection Act 2018). The UK Information Commissioner's Office (ICO) introduced the International Data Transfer Agreement (IDTA) as a UK-specific alternative to the EU SCCs. Organisations transferring personal data from the UK may choose between:

• The UK IDTA: A standalone transfer agreement issued by the ICO.

• The EU SCCs with a UK Addendum: The EU 2021 SCCs supplemented by the ICO's International Data Transfer Addendum, which adapts the EU SCCs for use under UK law.

For SaaS companies serving both EU and UK customers, using the EU SCCs with the UK Addendum is often the most efficient approach, as it allows a single contractual framework to cover transfers from both jurisdictions.