Standard Contractual Clauses (SCCs)

What Are Standard Contractual Clauses?

Standard Contractual Clauses (SCCs) are model data-transfer contracts approved by the European Commission under Article 46(2)(c) of the General Data Protection Regulation (GDPR). They provide a lawful basis for transferring personal data from the European Union or European Economic Area to data importers established in third countries that are not subject to a European Commission adequacy decision. SCCs are pre-drafted, must be executed without modification of their core text, and impose enforceable data-protection obligations on the data importer that are intended to provide a level of protection essentially equivalent to that guaranteed within the EU.

For India, SCCs are the most widely used transfer mechanism. Indian EOR providers, payroll vendors, subsidiaries of EU groups, BPO and KPO providers, and SaaS suppliers handling EU personal data routinely execute SCCs with their EU customers as a precondition to receiving the data.

The 2021 Modular SCCs

The current SCCs were adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, replacing the earlier 2001 and 2010 SCC sets. They departed from the previous fixed-template approach and introduced a modular structure:

• Module 1 — Controller to Controller. Two independent controllers, e.g. an EU group company sharing employee data with an Indian sister company that determines its own purposes.
• Module 2 — Controller to Processor. EU controller engaging an Indian processor, e.g. an EOR provider, payroll vendor, or HR-tech SaaS. This is by far the most common module for India transfers.
• Module 3 — Processor to Processor. EU processor engaging an Indian sub-processor, e.g. an EU SaaS vendor with an Indian development or support team.
• Module 4 — Processor to Controller. Indian processor returning personal data to an EU controller, e.g. an Indian outsourced research provider returning analysis to an EU controller.

Other features of the 2021 SCCs:

• Multi-party docking clause. New parties can join an existing SCC at any time during its lifetime.
• Compliance with Schrems II. The clauses contain explicit obligations on data importers regarding government-access requests and require both parties to assess local laws.
• GDPR-aligned data-subject rights. Data subjects in the EU are third-party beneficiaries of the SCCs and can enforce key obligations directly against the importer.
• Mandatory annexes. Annex I (transfer details, data categories, recipients), Annex II (technical and organisational measures), Annex III (sub-processors).

The Decision required all new transfers from 27 September 2021 to use the 2021 SCCs. Contracts on the older 2001 and 2010 SCCs were grandfathered until 27 December 2022, after which they ceased to provide a lawful basis.

Applicability — When India Transfers Need SCCs

India is not on the European Commission’s adequacy list. The current adequacy list as of 2026 comprises Andorra, Argentina, Brazil, Canada (commercial organisations only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, and the United Kingdom (with separate adequacy decisions under GDPR and the Law Enforcement Directive).

Without adequacy, every transfer of personal data from the EU/EEA to an Indian recipient must rely on one of the Article 46 transfer mechanisms — typically the 2021 SCCs, less commonly Binding Corporate Rules (for intra-group transfers), or, for narrow situations, the Article 49 derogations such as explicit consent, contract performance, or public interest. SCCs apply equally whether the Indian recipient is:

• An Indian subsidiary of an EU parent;
• An Indian Employer of Record handling EU-citizen employee data;
• An Indian payroll vendor;
• An Indian SaaS provider hosting EU personal data;
• An Indian BPO or research provider receiving EU personal data;
• An Indian Global Capability Centre operated by an EU group.

Negotiations on a potential EU-India adequacy decision have been discussed in the context of the Digital Personal Data Protection Act, 2023 and informed projections suggest a multi-year process; until adequacy is granted, SCCs remain the operative mechanism.

Schrems II and the Transfer Impact Assessment

The CJEU decision in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, delivered on 16 July 2020, fundamentally reshaped EU international transfers:

• Privacy Shield invalidated. The EU-US Privacy Shield adequacy decision was struck down because US surveillance laws did not provide protection essentially equivalent to GDPR.
• SCCs upheld but with conditions. The Court ruled that SCCs remain a valid transfer mechanism, but data exporters must assess on a case-by-case basis whether the law and practice of the destination country provides essentially equivalent protection, and must implement supplementary measures where it does not.

This created the Transfer Impact Assessment (TIA) requirement. For India transfers, a TIA typically covers:

1. The categories of personal data, sensitivity, and volume.
2. The transfer purpose, processing operations, and storage duration.
3. The relevant Indian laws — DPDP Act, 2023; Information Technology Act, 2000; Telegraph Act, 1885; Code of Criminal Procedure provisions on data access; sector-specific obligations.
4. Government-access risk — interception, mandatory disclosure orders, takedown powers, and surveillance practice.
5. Available safeguards — judicial oversight, transparency, redress mechanisms.
6. The supplementary measures applied — encryption with EU-held keys, pseudonymisation, contractual disclosure-resistance commitments, transparency reporting.

The European Data Protection Board’s Recommendations 01/2020 on supplementary measures provide the canonical framework.

Penalties for Non-Compliance

Failure to use a valid Article 46 transfer mechanism for a third-country transfer is treated as a serious violation of GDPR Chapter V. Under Article 83(5) GDPR, infringements of the basic principles for processing, including transfer-mechanism failures, attract administrative fines up to:

• EUR 20 million, or
• 4% of the undertaking’s total worldwide annual turnover of the preceding financial year, whichever is higher.

Recent EU enforcement has produced multi-hundred-million-euro fines for inadequate transfer arrangements (notably the Irish Data Protection Commission’s 2023 fine on Meta of EUR 1.2 billion for unlawful EU-US transfers under the SCCs without adequate supplementary measures).

In addition to fines, data subjects can claim compensation under Article 82 GDPR and Data Protection Authorities can suspend or prohibit the transfer.

Common Scenarios

EU-headquartered company hires through an Indian EOR. The EU company is the controller of employee personal data. The Indian EOR is the processor. The parties execute Module 2 SCCs as part of the EOR services agreement, with TIA documentation, Annex II technical and organisational measures (encryption at rest and in transit, role-based access, audit logs), and Annex III listing sub-processors (Indian payroll vendor, statutory-filing platform, identity-verification service).

EU SaaS vendor with Indian engineering team. The EU SaaS vendor is the processor for its EU customers. Its Indian engineering team accesses EU customer data for support and development. The vendor enters into Module 3 SCCs with itself as exporter and the Indian entity as importer (or treats the access as part of an intra-group BCR if approved), and conducts a TIA covering Indian government-access risk.

Intra-group transfer to an Indian GCC. An EU bank operates a Global Capability Centre in Hyderabad performing analytics on EU personal data. The bank executes Module 1 (or applies its approved Binding Corporate Rules) and conducts a sector-specific TIA referencing financial-services confidentiality.

How Omnivoo Helps

Omnivoo executes the EU 2021 Module 2 SCCs as standard with every EU customer engaging Indian employees through our EOR. Our data-processing agreement annexes Annex I (transfer details), Annex II (technical and organisational measures aligned to ISO 27001 controls), and Annex III (sub-processor list with prior-notification rights). We supply a India-specific Transfer Impact Assessment template that EU customers can adapt and execute with the assistance of their counsel, covering DPDP Act, 2023, government-access provisions, and supplementary measures. Encryption with customer-controlled keys, granular role-based access, and an audited sub-processor regime address the Schrems II supplementary-measures expectation. Read our GCC India compliance guide for the broader cross-border data architecture for EU groups operating in India.