This page provides an overview of the EU, UK, and Swiss Standard Contractual Clauses. It is not intended as a substitute for legal advice. As such, we recommend that you consult your legal counsel before acting on any matter discussed on this page. Also, consider engaging your legal counsel to determine if other standard or model contractual clauses, not covered on this page, apply to your organization.

Any company that meets the following conditions has an obligation to use a cross-border data transfer mechanism that is approved under the General Data Protection Regulation (GDPR):

The company is subject to the GDPR.
The company transfers personal data relating to European Economic Area (EEA) residents out of the EEA (for example, to a third-party service provider in the US).

To help companies transfer EEA residents' data out of the EEA in a way that is compliant with the GDPR, the European Commission provides the Standard Contractual Clauses (EU SCCs).

The EU SCCs are model contract clauses companies can enter into with third parties, and they are a commonly used cross-border data transfer mechanism. Other mechanisms include the use of Binding Corporate Rules or relying on the European Commission’s “adequacy” decision for the country to which data is being transferred.

Although the EU SCCs are commonly used as a cross-border data transfer mechanism, each company must evaluate whether the use of SCCs is the right choice for the company or whether another mechanism should be used.

For more on how to determine whether you should enter into the EU SCCs, see the European Commission's Rules on international data transfers.

Forge developers

Developers who host apps on Atlassian’s Forge platform, excluding apps or components hosted remotely, enter into Atlassian’s Forge Data Processing Addendum (Forge DPA) by accepting the Forge Terms, which includes SCCs with Atlassian. These SCCs govern any cross-border transfers of developers' (and their customers') personal data to Atlassian.

To learn more, see About the Forge Data Processing Addendum.

EU SCCs

On June 4, 2021, the European Commission published an updated version of the EU SCCs, which take into account the Schrems II judgment of the European Court of Justice and the invalidation of the EU-US Privacy Shield.

Among other things, the EU SCCs require companies to:

Provide detail about where, when, why, and how they handle personal data.
Assess whether the laws and practices of the country that data is being transferred to could prevent the receiving party from complying with the EU SCCs. This assessment is commonly referred to as a data transfer impact assessment (DTIA).

UK SCCs

Following in the footsteps of the EU, the UK published a data transfer mechanism that companies can rely on when transferring personal data relating to UK residents outside of the UK. To learn more about the UK SCCs, see the Information Commissioner’s International data transfer agreement and guidance.

Swiss SCCs

In August 2021, Switzerland’s Federal Data Protection and Information Commissioner (the Swiss Data Protection Authority) announced that the EU SCCs may be relied on when transferring personal data relating to Swiss residents out of Switzerland, with necessary amendments made to ensure compliance with Swiss data protection law.

For more information, see the Federal Data Protection and Information Commissioner’s page on cross border transfer of personal data.