I am a nonprofit: What do the new EU Standard Contractual Clauses (SCCs) mean to me?

Vintage Serax Oxazepam — An ad from an era when, apparently, women did not have a say even when it came down to their own mental health.

But, wait a minute, are you sure GDPR does apply to the nonprofit sector?

Yes, GDPR applies to the nonprofit sector just like it does to the for profit sector.

So, assuming GDPR applies to me, what do I have to do now?


  1. Controller-to-processor (C2P) transfers;
  2. Processor-to processor (P2P) transfers; and
  3. Processor-to-controller (P2C) transfers
  1. Before January 1st, 2022: The old SCCs do remain valid but only for 18 months. This means that you will have to identify all existing contracts that rely on the old version of SCCs (and the particular type of transfer they cover -C2C, C2P, P2P or P2-) before end of year. This should give you enough time to update those contracts by filling out the new forms and getting them signed before the 18 month period expires.
  2. Before November 1st, 2022: Update all contracts relying on the old version of SCCs to include the new version instead.

Are you sure I can really do this?

Yes, you can do this. In fact, if you approach the project from the right perspective, you can maximize the investment to facilitate future work.

  • Be proactive not reactive: For nonprofit organizations it is generally beneficial to be proactive in developing contractual templates for data transfers. Otherwise, it is likely that for profit organizations subject to laws that do not apply to you (like the new California Privacy Rights Act (CPRA) and/or Virginia’s Consumer Data Protection Act (CDPA)) will push on you language designed to protect their own interest that may or may not be relevant for your own compliance or aligned with your mission. Consider taking a holistic approach to all transfers (regardless of jurisdiction) which might increase requirements in some jurisdictions but will be more efficient operationally.
  • Keep it as simple as possible: Since the enactment of GDPR the privacy contractual compliance trend has been towards increased complexity driven by the overlapping jurisdiction-specific requirements. We are at a point where the length of the data transfer provisions in a given contract can significantly exceed the length of the provisions in the underlying contract (the new SCCs for transfers to third countries alone are 36 pages long.) Because this trend is unlikely to abate it is essential to look for synergies and actively seek to simplify compliance. For example, think about this contract update exercise as an opportunity to create a simple ledger of contracts involving data transfers. This can prove intensely helpful down the road when new legal requirements need to be implemented.

And what about the UK?

The new SCCs cannot be used for the UK as it is not a member of the European Union.

Golden Data Law is a mission driven benefit corporation that provides legal services to the not-for-profit community and to governmental agencies.