STANDARD CONTRACTUAL CLAUSES (SCC) IMPLEMENTATION CHECKLIST
EU SCCs (2021) and UK Transfer Mechanisms
OVERVIEW
This checklist guides the implementation of Standard Contractual Clauses for international data transfers pursuant to GDPR Article 46(2)(c) and the Commission Implementing Decision (EU) 2021/914.
Important Dates:
- June 4, 2021: New EU SCCs adopted
- September 27, 2021: New SCCs required for NEW agreements
- December 27, 2022: Old SCCs no longer valid for ANY transfers
PART 1: PRE-IMPLEMENTATION ASSESSMENT
1.1 Determine Transfer Scenario
Which Module Applies?
| Module | Scenario | Applies |
|---|---|---|
| Module 1 | Controller to Controller (C2C) | ☐ |
| Module 2 | Controller to Processor (C2P) | ☐ |
| Module 3 | Processor to Processor (P2P) | ☐ |
| Module 4 | Processor to Controller (P2C) | ☐ |
1.2 Identify Parties
Data Exporter:
| Field | Information | Verified |
|---|---|---|
| Legal Name | [NAME] | ☐ |
| Address | [ADDRESS] | ☐ |
| Contact Person | [NAME/EMAIL] | ☐ |
| DPO Contact | [NAME/EMAIL] | ☐ |
| Activities Description | [DESCRIPTION] | ☐ |
| Role | ☐ Controller ☐ Processor | ☐ |
Data Importer:
| Field | Information | Verified |
|---|---|---|
| Legal Name | [NAME] | ☐ |
| Address | [ADDRESS] | ☐ |
| Contact Person | [NAME/EMAIL] | ☐ |
| Activities Description | [DESCRIPTION] | ☐ |
| Role | ☐ Controller ☐ Processor | ☐ |
| Country | [COUNTRY] | ☐ |
1.3 Adequacy Check
Is the destination country covered by an adequacy decision?
☐ Yes - SCCs not required (but may still be used)
☐ No - SCCs or other Article 46 mechanism required
☐ Partial adequacy (check scope)
PART 2: TRANSFER IMPACT ASSESSMENT (TIA)
2.1 TIA Requirement
Has a Transfer Impact Assessment been conducted?
☐ Yes - Date: _________ Reference: _________
☐ No - STOP: TIA must be completed before implementing SCCs
2.2 TIA Findings
| Element | Finding |
|---|---|
| Risk Level Identified | ☐ Low ☐ Medium ☐ High |
| Supplementary Measures Required | ☐ Yes ☐ No |
| Decision | ☐ Proceed ☐ Proceed with conditions ☐ Do not proceed |
PART 3: SCC DOCUMENT PREPARATION
3.1 Select Applicable Clauses
Section I - General Provisions:
☐ Clause 1 - Purpose and scope
☐ Clause 2 - Effect and invariability of the Clauses
☐ Clause 3 - Third-party beneficiaries
☐ Clause 4 - Interpretation
☐ Clause 5 - Hierarchy (conflicts with other agreements)
3.2 Select Optional Provisions
Clause 7 - Docking Clause (Optional):
☐ Include docking clause (allows additional parties to join)
☐ Do not include docking clause
Clause 9 - Sub-processors (Module 2 and 3 only):
☐ Option 1: Prior specific authorization (list each sub-processor)
☐ Option 2: General written authorization (with notification right)
Clause 11 - Redress (Optional):
☐ Include optional text allowing data subjects to invoke dispute resolution
☐ Do not include optional text
Clause 17 - Governing Law:
☐ Option 1: EU Member State law allowing third-party beneficiary rights
☐ Option 2: Module 4 only - any EU Member State law
Selected Law: _____________
Clause 18 - Choice of Forum:
Courts of: _____________
3.3 Complete Annexes
Annex I - List of Parties:
☐ Part A - Data Exporter details completed
☐ Part B - Data Importer details completed
☐ Part C - Competent Supervisory Authority identified
Annex II - Technical and Organizational Measures (TOMs):
| Category | Documented |
|---|---|
| Pseudonymization and encryption | ☐ |
| Confidentiality, integrity, availability | ☐ |
| Ability to restore access | ☐ |
| Regular testing of measures | ☐ |
| User identification and authorization | ☐ |
| Protection during transmission | ☐ |
| Protection during storage | ☐ |
| Physical security | ☐ |
| Event logging | ☐ |
| System configuration | ☐ |
| IT security governance | ☐ |
| Incident management | ☐ |
| Business continuity | ☐ |
| Sub-processor management | ☐ |
Annex III - List of Sub-processors (if applicable):
☐ Completed with all sub-processors
☐ Not applicable (specific authorization chosen)
PART 4: SUPPLEMENTARY MEASURES
4.1 Technical Measures
| Measure | Required | Implemented | Notes |
|---|---|---|---|
| Strong encryption (transit) | ☐ | ☐ | [NOTES] |
| Strong encryption (rest) | ☐ | ☐ | [NOTES] |
| Pseudonymization | ☐ | ☐ | [NOTES] |
| Key management by exporter | ☐ | ☐ | [NOTES] |
| Data minimization | ☐ | ☐ | [NOTES] |
| Split processing | ☐ | ☐ | [NOTES] |
4.2 Contractual Measures
| Measure | Required | Included | Clause Reference |
|---|---|---|---|
| Challenge unlawful requests | ☐ | ☐ | Clause 15.1 |
| Notification of requests | ☐ | ☐ | Clause 15.1 |
| Warrant canary | ☐ | ☐ | [REFERENCE] |
| Enhanced audit rights | ☐ | ☐ | [REFERENCE] |
| Additional representations | ☐ | ☐ | [REFERENCE] |
4.3 Organizational Measures
| Measure | Required | Implemented | Notes |
|---|---|---|---|
| Transparency reporting | ☐ | ☐ | [NOTES] |
| Internal policies review | ☐ | ☐ | [NOTES] |
| Staff training | ☐ | ☐ | [NOTES] |
| Regular audits | ☐ | ☐ | [NOTES] |
PART 5: UK TRANSFERS (IF APPLICABLE)
5.1 UK Transfer Mechanism Selection
For transfers from the UK:
☐ UK International Data Transfer Agreement (IDTA)
☐ UK Addendum to EU SCCs
☐ Both (for dual EU/UK transfers)
5.2 UK Addendum Checklist (if using)
☐ Part 1: Tables completed (parties, description, appendix information)
☐ Part 2: Mandatory Clauses incorporated
☐ EU SCCs attached with selected modules/options
☐ Addendum signed by both parties
5.3 UK IDTA Checklist (if using)
☐ Part 1: Tables A-D completed
☐ Table A: Parties and key contacts
☐ Table B: Transfer description
☐ Table C: Appendix information
☐ Table D: Ending the IDTA
☐ Part 2: Extra Protection Clauses (if required)
☐ IDTA signed by both parties
PART 6: EXECUTION AND DOCUMENTATION
6.1 Pre-Execution Review
☐ SCCs reviewed by legal counsel
☐ DPO consulted (if applicable)
☐ All annexes completed
☐ Supplementary measures documented
☐ TIA completed and attached
6.2 Execution
| Party | Authorized Signatory | Date Signed |
|---|---|---|
| Data Exporter | Name: _____________ | ____________ |
| Data Importer | Name: _____________ | ____________ |
Signature Method:
☐ Wet ink signatures
☐ Electronic signatures (DocuSign, Adobe Sign, etc.)
☐ Written agreement (email exchange)
6.3 Documentation Storage
| Document | Location | Retention Period |
|---|---|---|
| Signed SCCs | [LOCATION] | Duration of processing + [X] years |
| TIA | [LOCATION] | Duration of processing + [X] years |
| Supplementary measures | [LOCATION] | Duration of processing + [X] years |
| Sub-processor records | [LOCATION] | Duration of processing + [X] years |
PART 7: ONGOING COMPLIANCE
7.1 Monitoring Activities
| Activity | Frequency | Responsible | Last Completed |
|---|---|---|---|
| Review TIA | Annual / on change | [NAME] | [DATE] |
| Review supplementary measures | Annual | [NAME] | [DATE] |
| Review sub-processor list | Quarterly | [NAME] | [DATE] |
| Monitor legal developments | Ongoing | [NAME] | N/A |
| Importer compliance audit | [FREQUENCY] | [NAME] | [DATE] |
7.2 Change Management
Trigger events requiring review:
☐ Change in destination country laws
☐ Change in processing activities
☐ Addition of new sub-processors
☐ Supervisory authority guidance
☐ Security incident
☐ Data subject complaint
7.3 Data Subject Rights
☐ Process established to respond to data subject requests
☐ Importer cooperation procedures in place
☐ Complaint handling mechanism documented
PART 8: APPROVAL AND SIGN-OFF
8.1 Implementation Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| Project Lead | [NAME] | _____________ | [DATE] |
| Legal Review | [NAME] | _____________ | [DATE] |
| DPO Approval | [NAME] | _____________ | [DATE] |
| Management Sign-off | [NAME] | _____________ | [DATE] |
8.2 Checklist Completion
☐ All required sections completed
☐ All documents gathered and stored
☐ SCCs properly executed
☐ Ongoing monitoring schedule established
☐ Staff trained on procedures
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial checklist |
QUICK REFERENCE: MODULE SELECTION
| Transfer Type | Exporter Role | Importer Role | Module |
|---|---|---|---|
| Business shares customer data with foreign partner | Controller | Controller | Module 1 |
| Business uses foreign cloud provider | Controller | Processor | Module 2 |
| EU processor uses non-EU sub-processor | Processor | Processor | Module 3 |
| Non-EU processor returns data to EU controller | Processor | Controller | Module 4 |
This checklist is provided for compliance with GDPR international transfer requirements. It does not constitute legal advice. Consult with qualified legal counsel for specific implementation questions.
Do more with Ezel
This free template is just the beginning. See how Ezel helps legal teams draft, research, and collaborate faster.
AI that drafts while you watch
Tell the AI what you need and watch your document transform in real-time. No more copy-pasting between tools or manually formatting changes.
- Natural language commands: "Add a force majeure clause"
- Context-aware suggestions based on document type
- Real-time streaming shows edits as they happen
- Milestone tracking and version comparison
Research and draft in one conversation
Ask questions, attach documents, and get answers grounded in case law. Link chats to matters so the AI remembers your context.
- Pull statutes, case law, and secondary sources
- Attach and analyze contracts mid-conversation
- Link chats to matters for automatic context
- Your data never trains AI models
Search like you think
Describe your legal question in plain English. Filter by jurisdiction, date, and court level. Read full opinions without leaving Ezel.
- All 50 states plus federal courts
- Natural language queries - no boolean syntax
- Citation analysis and network exploration
- Copy quotes with automatic citation generation
Ready to transform your legal workflow?
Join legal teams using Ezel to draft documents, research case law, and organize matters — all in one workspace.