Last updated Nov 17, 2022

Standard contractual clauses and cross-border transfers

This page provides an overview of the EU Standard Contractual Clauses. It is not intended as a substitute for legal advice. As such, we recommend that you consult your legal counsel before acting on any matter discussed on this page.

Any company that meets the following conditions has an obligation to use a cross-border data transfer mechanism that is approved under the General Data Protection Regulation (GDPR):

  • The company is subject to the GDPR.
  • The company transfers personal data relating to European Economic Area (EEA) residents out of the EEA (for example, to a third-party service provider in the US).

To help companies transfer EEA residents' data out of the EEA in a way that is compliant with the GDPR, the European Commission provides the Standard Contractual Clauses (EU SCCs).

The EU SCCs are model contract clauses companies can enter into with third parties, and they are a commonly used cross-border data transfer mechanism. Other mechanisms include the use of Binding Corporate Rules or relying on the European Commission’s “adequacy” decision for the country to which data is being transferred.

Although the EU SCCs are commonly used as a cross-border data transfer mechanism, each company must evaluate whether the use of SCCs is the right choice for the company or whether another mechanism should be used.

For more on how to determine whether you should enter into the EU SCCs, see the European Commission's Rules on international data transfers.

Forge developers

Developers who host apps on Atlassian’s Forge platform enter into Atlassian’s Forge Data Processing Addendum (Forge DPA) by accepting the Forge Terms, which includes SCCs with Atlassian. These SCCs govern any cross-border transfers of developers' (and their customers') personal data to Atlassian.

To learn more, see About the Forge Data Processing Addendum.

Updates to the EU SCCs

On June 4, 2021, the European Commission published an updated version of the EU SCCs, which take into account the Schrems II judgment of the European Court of Justice and the invalidation of the EU-US Privacy Shield.

Among other things, the updated EU SCCs require companies to:

Important deadline: December 27, 2022

UK SCCs

Following in the footsteps of the EU, the UK published a data transfer mechanism in 2022 that companies can rely on when transferring personal data relating to UK residents outside of the UK. To learn more about the UK SCCs, see the Information Commissioner’s International data transfer agreement and guidance.

Important deadline: March 21, 2024

Companies may still rely on the old version of the EU SCCs for international data transfers out of the UK until March 21, 2024.

After March 21, 2024, those agreements must be updated with the UK-specific data transfer mechanism.

Swiss SCCs

In August 2021, Switzerland’s Federal Data Protection and Information Commissioner (the Swiss Data Protection Authority) announced that the EU SCCs may be relied on when transferring personal data relating to Swiss residents out of Switzerland, with necessary amendments made to ensure compliance with Swiss data protection law.

For more information, see the Federal Data Protection and Information Commissioner’s news post.

Rate this page: