FREE QUOTE
FREE QUOTE

Data Residency Requirements

Data Protection & Compliance • Switzerland / EU / UK • Updated: February 22, 2026

Standard Contractual Clauses Explained

A practical guide to standard contractual clauses (SCCs) for international data transfers—when you need them, how the EU SCC modules work, and how to run Transfer Impact Assessments (TIAs) and supplementary measures without slowing delivery.

Reading time: 12 min Difficulty: Intermediate Audience: Legal/compliance, procurement, security, IT & product owners
Book a consultation Explore consulting services

Key takeaways

  • SCCs are a transfer tool: they don’t “legalize” risky transfers on their own—risk still needs assessing.
  • Pick the right module: controller→controller and controller→processor are most common.
  • TIA is the hard part: document destination-country risks and your supplementary measures.
  • Operationalize it: build SCCs into procurement and vendor management so it’s repeatable.
In practice: If your SCC annexes are blank (no data categories, no security measures, no sub-processors), you don’t have a working safeguard—you have paperwork.

What SCCs are (and what they are not)

Standard Contractual Clauses (SCCs) are pre-approved contract clauses used to provide “appropriate safeguards” when personal data is transferred internationally to countries that don’t have an adequacy decision (in EU terms) or an “appropriate level of protection” (in Swiss terms).

SCCs set contractual obligations between the data exporter and importer—covering security measures, transparency, sub-processing, data subject rights support, and how government access requests are handled.

What SCCs do NOT do

  • They don’t replace a data inventory and vendor due diligence.
  • They don’t automatically solve third-country legal risks—you still need a TIA and (sometimes) supplementary measures.
  • They don’t fix weak security—your technical controls must match what’s promised in the annexes.

When you need SCCs

You typically use SCCs when you transfer personal data outside the EU/EEA (or outside Switzerland / the UK, depending on your regime) to a country without an adequacy decision, and no other appropriate safeguard applies.

Common triggers

  • Using a non-European SaaS vendor (CRM, analytics, support, marketing automation)
  • Outsourcing processing (development, support, payroll) to non-adequate jurisdictions
  • Group transfers (EU/CH entity sending data to a non-adequate group company)
  • Cloud hosting or support access from outside your region
Tip: Start with a transfer map: exporter → importer → sub-processors → data categories → purpose → locations. If you can’t map the flow, you can’t choose the right safeguards.

EU SCC modules (which one to use)

The modern EU SCCs (2021) use a modular structure. Choose the module based on who is the controller/processor on each side.

Module Use when Typical example
Controller → Controller (C2C) Exporter and importer both determine purposes/means. EU company shares customer data with an overseas partner acting as a controller.
Controller → Processor (C2P) Exporter is controller; importer processes on instructions. EU/CH controller uses a non-EEA SaaS provider.
Processor → Processor (P2P) Exporter is processor transferring to another processor. EU processor engages a sub-processor outside EU/EEA.
Processor → Controller (P2C) Exporter is processor; importer becomes controller. Service provider sends data back to an overseas client controller.
Most common: C2P for vendor SaaS and cloud services. Get this one operational first.

How to implement SCCs step-by-step

SCCs work best as a repeatable procurement + vendor governance process, not a one-off legal task.

Step 1: Build a transfer inventory (fast version)

  1. List systems and vendors that process personal data.
  2. Identify transfers outside your jurisdiction (EU/EEA, Switzerland, UK).
  3. Note data categories, purpose, and processing roles (controller/processor).

Step 2: Decide the transfer mechanism

  • If the destination is adequate: SCCs may not be needed (still do security due diligence).
  • If not adequate: SCCs (or BCRs, approved codes, etc.) are typical mechanisms.

Step 3: Complete the SCC annexes properly

The annexes are where SCCs become “real.” For most teams, this is the part that needs templates.

Annex item What to include Common mistake
Data categories & purpose Clear, specific categories and purposes Vague “business purposes” wording
Recipients & sub-processors Known sub-processors or disclosure logic “To be determined” without governance
Retention Retention logic and deletion/return process No operational deletion behavior
Security measures (TOMs) Concrete technical/organizational controls Marketing-level claims without evidence

Step 4: Ensure vendor commitments match reality

  • Confirm encryption, access controls, logging, incident response, and sub-processor governance.
  • Align processor obligations (Article 28-style clauses) with SCC commitments where relevant.
  • Make sure you can support DSARs and breach handling with the vendor.

TIA + supplementary measures (post-Schrems II)

SCCs are often paired with a Transfer Impact Assessment (TIA) to evaluate whether the destination country’s laws and practices could undermine the protections promised in the SCCs.

A practical TIA structure

  1. Describe the transfer: data categories, roles, locations, frequency, and purpose.
  2. Assess destination risks: legal environment, government access, and enforceability in practice.
  3. Evaluate controls: security measures, access limitation, transparency, audit rights, sub-processor governance.
  4. Add supplementary measures: technical, organizational, and contractual enhancements.
  5. Residual risk decision: accept/mitigate/stop; document owners and approvals.

Examples of supplementary measures (common in practice)

  • Technical: strong encryption (with EU/CH-held keys), pseudonymization, access restrictions, data minimization.
  • Organizational: strict admin access processes, logging + monitoring, incident drills, staff training.
  • Contractual: transparency commitments, challenge government requests, sub-processor restrictions, auditability.
Reality check: If you can’t explain where encryption keys live, who can access decrypted data, and how you detect misuse, your “supplementary measures” are probably not meaningful.

Switzerland & UK: addenda and alternatives

Many organizations operate across EU, Switzerland, and the UK. The fastest way to reduce complexity is to standardize your contracting approach and add the needed jurisdiction-specific addenda.

Switzerland (DSG/FADP)

  • Swiss law focuses on whether the destination provides an “appropriate level of protection.”
  • Organizations often use the EU SCCs with a Swiss addendum to align references and enforcement expectations.

United Kingdom (UK GDPR)

  • EU SCCs are not valid on their own for UK restricted transfers.
  • Common options: UK IDTA or EU SCCs + UK Addendum (useful when one contract must cover both EU and UK transfers).
Operational tip: Keep one master vendor contract and attach the right addendum set (EU SCCs, Swiss addendum, UK addendum/IDTA), driven by your data transfer map.

Helpful tools (optional)

If you need traceable approvals, secure documentation, and audit trails for vendor reviews, SCC annexes, and TIAs:

SignNTrack – secure e-signatures & tracking Business & IT Consulting

Disclaimer: Links are for convenience; choose tools based on your requirements and compliance needs.

Standard Contractual Clauses checklist (copy/paste)

Use this checklist to make SCCs operational and defensible.

  • We maintain a transfer map (exporter, importer, sub-processors, locations, data categories, purpose).
  • We chose the correct SCC module(s) for roles (C2C, C2P, P2P, P2C).
  • We completed SCC annexes with specific data categories, retention rules, and concrete security measures.
  • We confirmed vendor commitments match reality (controls, auditability, incident handling, DSAR support).
  • We performed a TIA (or equivalent risk assessment) for non-adequate destinations and documented the outcome.
  • We implemented supplementary measures where needed (encryption, key management, minimization, monitoring).
  • We applied jurisdiction addenda where relevant (Swiss addendum, UK IDTA or UK addendum).
  • We store evidence: signed SCCs, annexes, TIA, approvals, and periodic review notes.
Quick win: Create a “SCC annex pack” template (data categories, TOMs, retention, sub-processor governance) that vendors can fill out consistently.

FAQ

What are Standard Contractual Clauses (SCCs)?
SCCs are pre-approved contract clauses used as an “appropriate safeguard” for international transfers of personal data to countries without an adequacy decision (or equivalent). They create enforceable obligations between exporter and importer.
Do SCCs alone make an international transfer compliant?
Not always. You often need a Transfer Impact Assessment (TIA) and, where risks remain, supplementary measures such as encryption, pseudonymization, tighter access controls, and monitoring.
Which SCC module is most common for SaaS vendors?
Controller-to-Processor (C2P) is the most common for SaaS and cloud vendors that process data on your instructions.
Can we use EU SCCs for UK transfers?
EU SCCs are not valid on their own for UK restricted transfers. Common options are the UK IDTA or using EU SCCs with the UK Addendum, especially when one contract must cover both EU and UK transfers.

About the author

Leutrim Miftaraj

Leutrim Miftaraj — Founder, Innopulse.io

Leutrim is an IT project leader and innovation management professional (BSc/MSc) focused on governance, secure delivery, and compliance-friendly execution for organizations in Switzerland.

International Transfers SCCs / TIAs Vendor Governance Swiss compliance focus

Reviewed by: Innopulse Editorial Team (Quality & Compliance) • Review date: February 22, 2026

This content is for informational purposes and does not constitute legal advice. For case-specific guidance, consult qualified counsel.

Sources & further reading

Prefer official sources for SCC texts and regulator guidance for TIAs and supplementary measures.

  1. European Commission — Standard Contractual Clauses (overview + downloads)
  2. EU — Commission Implementing Decision (EU) 2021/914 (SCCs for international transfers)
  3. EDPB — Recommendations 01/2020 on supplementary measures (final)
  4. UK ICO — UK IDTA and UK Addendum to EU SCCs (guidance)
  5. FDPIC / EDÖB — Cross-border transfer of personal data (Switzerland)

Last updated: February 22, 2026 • Version: 1.0

Want SCCs and TIAs that are fast and defensible?

Innopulse supports organizations with practical international transfer governance—transfer mapping, SCC annex templates, vendor controls, TIA workflows, and audit-ready documentation—so compliance becomes repeatable and scalable.

Book a consultation Back to Data Protection & Compliance pillar Business & IT Consulting

Driving innovation.

Quick Links

Get in touch

Newsletter

© 2026 Innopulse Consulting. All Rights Reserved.

Imprint | Privacy PolicyTerm of Use Cookies