Book Free Call
Anthropic Standard Contractual Clauses SCC Module 2 Module 3 GDPR data transfer
tools

Anthropic SCCs: GDPR Data Transfer Guide for Module 2 and 3

Which SCCs does Anthropic use?

Anthropic uses EU Commission-approved Standard Contractual Clauses — Module 2 for controller-to-processor transfers and Module 3 for processor-to-processor — automatically incorporated into their DPA. No separate SCC document needs to be signed.

  • SCCs are incorporated automatically in Anthropic's DPA — no separate signature or negotiation needed.
  • Module 2 applies when you are a data controller; Module 3 applies when you are a processor.
  • UK and Swiss addenda adapt the EU SCCs for UK GDPR and Swiss FADP compliance.

Anthropic uses EU Standard Contractual Clauses (SCCs), specifically Module 2 (controller-to-processor) and Module 3 (processor-to-processor), automatically incorporated into their Data Processing Addendum when a customer accepts Anthropic’s commercial terms. For companies using Claude Enterprise or the Claude API in Germany, the SCCs are already in place — no separate negotiation or signature is required. The key compliance task is determining which SCC module applies to your organization and what additional documentation your GDPR review requires.

This page provides general information and is not legal advice for a specific situation. For the full framework covering Anthropic’s Data Processing Addendum, see our guide on the Anthropic DPA and the Anthropic Data Processing Addendum review. For a broader GDPR compliance overview, see our Anthropic GDPR Compliance hub.

What Are Standard Contractual Clauses (SCCs)?

Standard Contractual Clauses are EU Commission-approved model contracts that allow companies to transfer personal data from the EU/EEA to countries without an adequacy decision — including the United States. SCCs are the primary transfer mechanism under Article 46(2)(c) GDPR (GDPR Chapter V) and were updated in 2021 following the Schrems II judgment (CJEU Case C-311/18).

Without a valid transfer mechanism, transferring personal data from the EU to a US-based AI provider would violate GDPR. SCCs fill this gap contractually, committing the data importer to EU-equivalent data protection standards.

The 2021 EU Commission SCCs provide four modules covering different transfer scenarios:

  • Module 1 — Controller to Controller
  • Module 2 — Controller to Processor
  • Module 3 — Processor to Processor
  • Module 4 — Processor to Controller

For most Anthropic use cases, Module 2 or Module 3 applies.

Which SCCs Does Anthropic Use?

Anthropic incorporates EU Commission SCCs — Module 2 and Module 3 — into its commercial terms. They are included automatically in the Data Processing Addendum accepted as part of Anthropic’s paid product terms. Customers using Claude Enterprise or the Claude API do not need to separately execute SCC documents.

Anthropic also provides addenda adapting the EU SCCs for:

  • UK transfers: the UK International Data Transfer Addendum (UK IDTA), required for transfers subject to UK GDPR following Brexit
  • Swiss transfers: an adaptation for the Swiss Federal Act on Data Protection (FADP)

SCC Module 2 vs Module 3: Which Applies to Your Organization?

The correct SCC module depends on your organization’s role in the data processing chain. The following table covers the most common scenarios:

Your roleAnthropic’s roleApplicable SCC module
Controller (processes data for your own purposes)Processor (processes on your behalf)Module 2 (Controller to Processor)
Processor (processes data on behalf of your customers)Sub-processorModule 3 (Processor to Processor)

Module 2 — Controller to Processor applies when your organization is the data controller. This is the standard scenario for enterprises using Claude for internal workflows, customer data analysis, or operational automation. You determine the purpose and means of processing; Anthropic processes on your instruction.

Module 3 — Processor to Processor applies when your organization is itself a processor — for example, a SaaS company building a product on top of the Claude API that processes data on behalf of your clients. In this case, Anthropic acts as your sub-processor.

Decision shortcut: If you have end customers whose data flows into Claude, you are likely a processor and Module 3 applies. If Claude is an internal tool processing data about your own customers or employees, Module 2 is the more common starting point. Hybrid scenarios — where an organization is both controller and processor for different data flows — require separate analysis for each processing activity.

Do I Need to Sign SCCs Separately with Anthropic?

No. Customers do not need to separately negotiate or sign SCC documents with Anthropic. The EU Commission SCCs — including the applicable module — are automatically incorporated into Anthropic’s commercial terms when you accept them for a paid product.

This is the most common source of confusion in GDPR procurement for AI tools. Unlike some enterprise vendors who require a separate data transfer agreement signature, Anthropic incorporates SCCs by reference into the standard commercial terms.

Your compliance responsibility is to:

  1. Identify which module applies to your organization based on your controller or processor role.
  2. Document the transfer in your Record of Processing Activities (ROPA) under Article 30 GDPR, recording the transfer mechanism, the applicable SCC module, and destination countries.
  3. Carry out a Transfer Impact Assessment — SCCs are a legal mechanism but do not automatically mean the transfer is low-risk. A TIA is required for most EU-US transfers relying on SCCs.

UK and Swiss Addenda

For organizations subject to UK GDPR or Swiss FADP rather than EU GDPR, the standard EU SCCs must be supplemented:

  • UK International Data Transfer Addendum (UK IDTA): Required for transfers from the UK to a third country not covered by a UK adequacy decision. The UK IDTA adapts the EU SCCs for use under UK GDPR. Anthropic supports the UK IDTA for transfers of data subject to UK data protection law.
  • Swiss FADP addendum: Required for data transfers from Switzerland under the Swiss Federal Act on Data Protection. Anthropic provides a Swiss FADP adaptation alongside the EU SCCs.

Organizations subject to UK or Swiss data protection law should confirm with Anthropic that the applicable addendum is incorporated into their commercial terms. This can typically be confirmed through your account representative or the Anthropic customer portal.

Transfer Impact Assessment (TIA) for Anthropic

The 2021 EU Commission SCCs and subsequent European Data Protection Board (EDPB) guidance require organizations to conduct a Transfer Impact Assessment (TIA) when relying on SCCs for international data transfers. A TIA is a documented analysis assessing whether the legal framework in the destination country provides adequate protection in practice, and whether supplementary measures are necessary.

What a TIA for Anthropic transfers should cover:

  • The US legal framework applicable to Anthropic’s infrastructure — including potential government access obligations under laws such as FISA Section 702
  • Anthropic’s technical and organizational measures for protecting transferred data
  • Whether supplementary technical measures — encryption, pseudonymization, or data minimization at the API level — reduce residual risk
  • Whether the EU-US Data Privacy Framework (DPF) certification provides an alternative adequacy basis for covered Anthropic transfers, removing the need for SCCs on those data flows

Anthropic’s TIA support: Anthropic states it provides information to support customers’ TIA obligations on request. Enterprise customers should request this documentation through their account representative before deployment and retain the TIA documentation alongside the ROPA entry.

SCCs vs EU Data Residency: Not the Same Thing

SCCs and EU data residency are frequently conflated in procurement conversations — they address different compliance requirements.

Standard Contractual Clauses are a legal transfer mechanism — they authorize the transfer of personal data outside the EEA by contractually imposing EU-equivalent obligations on the recipient. SCCs do not prevent the data from leaving the EU; they govern the conditions under which it can lawfully do so.

EU data residency means that personal data is physically stored and processed on infrastructure within the EEA. Having SCCs in place does not mean your data stays in Europe — it means the transfer, wherever it goes, is legally authorized under GDPR.

For organizations that require EU data residency in addition to the SCC transfer mechanism — for example, those subject to sector-specific data localization rules — the SCCs in Anthropic’s DPA are not sufficient on their own. EU data residency for Claude requires a separate infrastructure configuration. For current options and analysis, see our page on Claude EU hosting.

What Else Do You Need Beyond Anthropic’s SCCs?

The SCCs automatically incorporated into Anthropic’s commercial terms are a necessary but not sufficient basis for GDPR-compliant Claude deployments. A full compliance picture requires:

  • Article 28 DPA review: Verify the Anthropic Data Processing Addendum covers your specific workflow, data categories, subprocessors, and retention periods.
  • Legal basis for processing: Confirm a valid Article 6 GDPR legal basis — and Article 9 GDPR where special categories of data are involved.
  • ROPA documentation: Record the Anthropic processing activity — including the applicable SCC module, destination countries, and transfer mechanism — in your Record of Processing Activities under Article 30 GDPR.
  • TIA documentation: Complete and retain a Transfer Impact Assessment for the EU-US transfer path and any subprocessor transfer paths outside the EEA.
  • DPIA assessment: Determine whether a Data Protection Impact Assessment under Article 35 GDPR is required given the scale, nature, and risk profile of the processing.
  • Subprocessor review: Obtain and review Anthropic’s current subprocessor list, including the transfer mechanisms applied to each subprocessor operating outside the EEA.

For employee data, co-determination obligations under § 87(1) No. 6 BetrVG may apply independently of the DPA and SCC review — these obligations arise from German labor law and are not resolved by the GDPR contract stack alone.

Compound Law advises businesses, startups, and in-house teams in Germany on GDPR, AI contracts, and data transfer compliance. If you need a full SCC and DPA review for your Anthropic deployment, contact us.

FAQ

What SCCs does Anthropic use?

Anthropic uses EU Commission-approved Standard Contractual Clauses under Article 46(2)(c) GDPR — specifically Module 2 (controller-to-processor) and Module 3 (processor-to-processor). The 2021 EU Commission SCCs apply. They are automatically incorporated into the Anthropic Data Processing Addendum as part of the commercial terms accepted for Claude Enterprise and the Claude API. Customers do not need to separately negotiate or sign SCC documents.

Are Anthropic’s SCCs GDPR compliant?

Yes — Anthropic uses the current 2021 EU Commission SCCs, which are the legally valid transfer mechanism under Article 46(2)(c) GDPR. However, SCCs are a legal authorization for the transfer, not a guarantee of equivalent protection in practice. Following the Schrems II judgment, companies must still carry out a Transfer Impact Assessment and document supplementary measures where needed. The EU-US Data Privacy Framework (DPF) may provide an alternative adequacy basis for covered Anthropic transfers — the current certification status should be verified at the time of procurement.

Do I need a Transfer Impact Assessment for Anthropic?

In most cases, yes. The EDPB guidance following Schrems II requires a Transfer Impact Assessment when relying on SCCs for transfers to third countries. For EU-US transfers to Anthropic, the TIA should assess the US legal framework (including FISA Section 702 government access obligations), Anthropic’s technical and organizational measures, and whether supplementary measures are needed. Anthropic provides TIA support documentation on request — request this through your account representative before deployment.

Does Claude Enterprise use SCCs?

Yes. SCCs are automatically incorporated into Anthropic’s commercial terms for both Claude Enterprise and the Claude API. No separate SCC execution is required. UK and Swiss customers should confirm with Anthropic that the applicable UK IDTA or Swiss FADP addendum is also included in their commercial terms. Customers accessing Claude via Amazon Bedrock should note that the AWS DPA and AWS SCCs govern those deployments — the Anthropic DPA and SCCs apply only when contracting directly with Anthropic.

Related Tool Guides

Claude Zero Data Retention ZDR enterprise API guide for GDPR compliance in Germany
tools

Claude Zero Data Retention (ZDR): Enterprise API Guide

Claude's Zero Data Retention agreement: Anthropic won't store your API inputs or outputs. Eligibility, exceptions, and GDPR implications for Germany.
Claude Enterprise used by law firms and legal teams for contract review
tools

Claude Enterprise for Law Firms and Legal Teams

Claude Enterprise for law firms and legal teams: contract review, due diligence, and compliance drafting with GDPR and bar association considerations.
Zapier GDPR 2026 Germany — DPA, Article 28, SCCs and EU data transfers for German companies
tools

Zapier GDPR 2026: DPA, Article 28 & EU Data Transfer Guide

Is Zapier GDPR compliant? DPA under GDPR Article 28, SCCs, EU data residency, and US data transfer compliance for German businesses — 2026 guide.
Anthropic Data Processing Addendum GDPR Article 28 compliance review guide
tools

Is Anthropic's DPA GDPR-Compliant? Coverage Guide for Germany

Anthropic has a GDPR-compliant DPA covering Article 28 and EU-US SCCs. Here's what's included and what to verify before deploying Claude in Germany.
Anthropic DPA data processing agreement Article 28 GDPR for Germany
tools

Does Anthropic Have a GDPR DPA? — Yes, Here's What It Covers [2026]

Yes. Anthropic provides a DPA for Claude Enterprise and the API under GDPR Article 28. Covers SCCs, processor role, subprocessors, and retention. Germany guide.
Claude Code GDPR compliance — DPA, data retention and EU hosting guide
tools

Claude Code Data Privacy: GDPR, DPA & No Training Policy

Claude Code's data privacy policy: no training on your code by default, GDPR DPA included via Anthropic API, zero data retention for Enterprise.

Browse More AI Tools

Frequently asked questions

What SCCs does Anthropic use?

Anthropic uses EU Commission-approved Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR — specifically Module 2 (controller-to-processor) and Module 3 (processor-to-processor). They are automatically incorporated into the Anthropic Data Processing Addendum as part of the commercial terms. Customers do not need to separately sign or negotiate SCC documents with Anthropic.

Are Anthropic's SCCs GDPR compliant?

Yes. Anthropic uses the 2021 EU Commission SCCs, which are the standard-compliant transfer mechanism under Article 46(2)(c) GDPR for transfers to countries without an adequacy decision, including the United States. However, SCCs are a legal transfer mechanism — not a guarantee of equivalent protection in practice. Companies must still carry out a Transfer Impact Assessment (TIA) and document the transfer in their Record of Processing Activities. The EU-US Data Privacy Framework (DPF) may provide an alternative adequacy basis for covered Anthropic transfers — the current DPF certification status should be verified at the time of procurement.

Do I need a Transfer Impact Assessment for Anthropic?

Yes, in most cases. The European Data Protection Board's post-Schrems II guidance requires organizations to carry out a Transfer Impact Assessment (TIA) when relying on SCCs for transfers to third countries. For EU-US transfers to Anthropic, the TIA should assess US government access laws (such as FISA Section 702), Anthropic's technical and organizational measures, and whether supplementary measures are needed. Anthropic states it provides TIA support information on request — enterprise customers should request this documentation through their account representative before deployment.

Does Claude Enterprise use SCCs?

Yes. SCCs are automatically incorporated into Anthropic's commercial terms for Claude Enterprise and the Claude API. Customers do not need to separately execute SCC documents — the SCCs are included by reference in the Data Processing Addendum accepted when signing up for a paid Anthropic product. UK and Swiss customers should confirm with Anthropic that the applicable UK IDTA or Swiss FADP addendum is also included in their commercial terms.

Book Free Call