Standard contractual clauses (SCCs)
Standard Contractual Clauses (SCCs) are model data-protection contract terms adopted by the European Commission that provide a lawful basis for transferring personal data outside the EEA to countries without an adequacy decision. They are commonly used when analytics data flows to vendors abroad. This page explains their role and the assessment that accompanies them.
What SCCs are
SCCs are pre-approved contractual clauses that bind a data exporter and importer to GDPR-aligned protections, giving a Chapter V transfer mechanism for personal data sent to third countries lacking an adequacy decision. The Commission modernised the SCCs in 2021 into a modular set covering different controller/processor transfer scenarios.
They are widely used in vendor contracts, including for analytics services hosted or supported outside the EEA.
Why a transfer assessment is required
After the Schrems II ruling, SCCs alone are not automatically sufficient. The exporter must assess whether the destination country's laws undermine the SCCs' protections and, if so, add supplementary measures (such as encryption or pseudonymisation). For analytics, minimising what is transferred — or keeping data in-region — reduces both the risk and the assessment burden.
- Modular 2021 SCCs cover different transfer roles
- Schrems II requires a transfer impact assessment
- Supplementary measures may be needed to make SCCs effective
How it appears in analytics and logs
If analytics data leaves the EEA to a non-adequate country, SCCs plus a documented transfer assessment are usually the mechanism relied upon; their absence is a transfer-compliance gap.
Diagnostic use case
Understand when SCCs are needed for an analytics transfer and that, after Schrems II, they must be paired with a transfer impact assessment.
What WebmasterID can help detect
Keeping measurement first-party and regional reduces cross-border transfers, narrowing where SCCs and transfer assessments are even required.
Common mistakes
- Signing SCCs without a transfer impact assessment.
- Using outdated pre-2021 SCC versions.
- Assuming SCCs cure every cross-border risk on their own.
Privacy and accuracy notes
This page is educational and not legal advice. SCCs are one transfer mechanism among several, and their sufficiency depends on a case-by-case assessment.
Related pages
- Schrems II and analytics transfers
Schrems II is the 2020 Court of Justice of the EU judgment that invalidated the EU-US Privacy Shield and held that Standard Contractual Clauses remain valid only with a case-by-case assessment of the destination country's surveillance laws. Its reasoning later drove regulator decisions against certain US-hosted analytics. This page explains the ruling and its analytics impact.
- Cross-border data transfers in analytics
The GDPR restricts transfers of personal data outside the EU/EEA unless a valid mechanism applies — an adequacy decision, Standard Contractual Clauses, or another safeguard. Analytics that ships data to servers abroad therefore raises a transfer question, made sharper by case law on access by foreign authorities. Keeping data in-region or minimising it reduces the issue. This is educational, not legal advice.
- EU-US Data Privacy Framework
The EU-US Data Privacy Framework (DPF) is the mechanism, underpinned by a 2023 European Commission adequacy decision, that allows personal data to flow from the EU to US companies that self-certify to its principles. It replaced the invalidated Privacy Shield. This page explains how the DPF enables transfers relevant to analytics and why it stays under scrutiny.
- Privacy-first analytics
Regional, first-party measurement that limits transfers.
Sources and verification notes
- European Commission — Standard Contractual Clauses (2021)Official SCCs and adoption decision.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.