European Union

The ECS has been challenged. Can it still be used in the meantime?

Valid until rev
Legal status
2021 SCCs in fo
Current version
Case C-311/18
Schrems II
6 months grace
Transition period
The Short Answer

Yes, the European Commission’s Standard Contractual Clauses (ECS/SCCs) remain valid and can be used while challenges are pending, provided they are supplemented with appropriate safeguards where necessary.

What the Law Says

The European Commission’s Standard Contractual Clauses (SCCs) are a legal mechanism under the GDPR to ensure appropriate safeguards for personal data transfers outside the EU. Following the Schrems II ruling, the Commission adopted new SCCs in 2021, which replaced earlier versions and explicitly require transfer impact assessments and supplementary measures where needed.

Under Article 46(2)(c) of the GDPR, SCCs are one of the 'appropriate safeguards' that controllers and processors may use when transferring personal data to third countries without an adequacy decision.

The Commission Implementing Decision (EU) 2021/914 of 4 June 2021 sets out the current SCCs and states: 'These Clauses shall be used without any modification, except for the completion of the Annexes and/or the addition of clauses or annexes that do not contradict the substantive provisions of these Clauses.'

Recital 10 of the same Decision confirms: 'The Clauses should provide sufficient guarantees to ensure compliance with the obligations laid down in Chapter V of Regulation (EU) 2016/679.'

Statutory Text

These Clauses shall be used without any modification, except for the completion of the Annexes and/or the addition of clauses or annexes that do not contradict the substantive provisions of these Clauses.

Commission Implementing Decision (EU) 2021/914, Recital 10
Statutory Text

The Clauses should provide sufficient guarantees to ensure compliance with the obligations laid down in Chapter V of Regulation (EU) 2016/679.

Commission Implementing Decision (EU) 2021/914, Recital 10

What Courts Have Said

The Court of Justice of the EU (CJEU) has confirmed both the continued validity of SCCs and the obligation to assess their effectiveness on a case-by-case basis.

Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (C-311/18)
Court of Justice of the European Union · 2020

The CJEU invalidated the EU–US Privacy Shield but upheld SCCs as a transfer tool — however, it ruled that data exporters must verify, prior to transfer, whether the recipient country ensures an essentially equivalent level of protection; if not, they must implement supplementary measures or suspend the transfer.

What to Do

1

Conduct a transfer impact assessment (TIA) for each non-adequate country receiving data under SCCs.

2

Identify and implement effective supplementary measures (e.g., encryption, contractual commitments, technical controls) if the TIA reveals risks.

3

Document all assessments and measures taken — this is mandatory under GDPR accountability principle (Art. 5(2)).

4

Monitor developments: If a court invalidates the 2021 SCCs in future, the European Commission will issue updated guidance or replacement clauses.

5

Use only the official 2021 SCCs (Commission Implementing Decision (EU) 2021/914); older versions expired on 27 September 2022.

Sources

statuteRegulation (EU) 2016/679 — General Data Protection Regulation, Art. 46(2)(c)statuteCommission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countriescaseCase C-311/18 — Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian SchremscaseData Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (C-311/18) (2020)

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.