Anthropic SCCs: GDPR Data Transfer Guide for Module 2 and 3

Which SCCs does Anthropic use?

Anthropic's current DPA automatically incorporates the 2021 EU SCCs — Module 2 for controller-to-processor transfers and Module 3 for processor-to-processor transfers. For direct Anthropic contracts, no separate SCC document needs to be signed.

• SCCs are incorporated automatically in Anthropic's DPA — no separate signature or negotiation is normally needed.
• Module 2 applies when you are a data controller; Module 3 applies when you are a processor.
• The current Anthropic DPA also includes UK and Swiss addenda for UK GDPR and Swiss data-transfer scenarios.
• If you use Claude through Bedrock, Vertex AI, or another platform, that platform contract stack governs the transfer instead.

Anthropic’s current Data Processing Addendum effective February 24, 2025 defines the applicable Standard Contractual Clauses (SCCs) as Module 2 (controller-to-processor) or Module 3 (processor-to-processor) under Commission Implementing Decision (EU) 2021/914. Anthropic’s help center, updated on March 16, 2026, states that these SCCs are automatically incorporated when a customer accepts the commercial terms for direct Anthropic services. For German companies using the Claude API or Claude for Work / Enterprise directly from Anthropic, no separate SCC signature is usually required. The practical compliance task is deciding whether Module 2 or Module 3 applies and documenting the transfer correctly under GDPR.

This page provides general information and is not legal advice for a specific situation. For the full framework covering Anthropic’s Data Processing Addendum, see our guide on the Anthropic DPA and the Anthropic Data Processing Addendum review. For a broader GDPR compliance overview, see our Anthropic GDPR Compliance hub.

What Are Standard Contractual Clauses (SCCs)?

Standard Contractual Clauses are EU Commission-approved model contracts that allow companies to transfer personal data from the EU/EEA to countries without an adequacy decision — including the United States. SCCs are the primary transfer mechanism under Article 46(2)(c) GDPR (GDPR Chapter V) and were updated in 2021 following the Schrems II judgment (CJEU Case C-311/18).

Without a valid transfer mechanism, transferring personal data from the EU to a US-based AI provider would violate GDPR. SCCs fill this gap contractually, committing the data importer to EU-equivalent data protection standards.

The 2021 EU Commission SCCs provide four modules covering different transfer scenarios:

• Module 1 — Controller to Controller
• Module 2 — Controller to Processor
• Module 3 — Processor to Processor
• Module 4 — Processor to Controller

For most Anthropic use cases, Module 2 or Module 3 applies.

Which SCCs Does Anthropic Use?

Anthropic’s DPA defines “Standard Contractual Clauses” as Module Two (controller to processor) or Module Three (processor to processor) of the 2021 EU SCCs. The DPA is incorporated into Anthropic’s commercial terms, and Anthropic’s commercial terms effective June 17, 2025 incorporate that DPA by reference. Customers using the Claude API or Claude for Work / Enterprise directly with Anthropic therefore do not normally execute a separate SCC document.

Anthropic also provides addenda adapting the EU SCCs for:

• UK transfers: the UK International Data Transfer Addendum (UK IDTA), required for transfers subject to UK GDPR following Brexit
• Swiss transfers: an adaptation for the Swiss Federal Act on Data Protection (FADP)

SCC Module 2 vs Module 3: Which Applies to Your Organization?

The correct SCC module depends on your organization’s role in the data processing chain. The following table covers the most common scenarios:

Your role	Anthropic’s role	Applicable SCC module
Controller (processes data for your own purposes)	Processor (processes on your behalf)	Module 2 (Controller to Processor)
Processor (processes data on behalf of your customers)	Sub-processor	Module 3 (Processor to Processor)

Module 2 — Controller to Processor applies when your organization is the data controller. This is the standard scenario for enterprises using Claude for internal workflows, customer data analysis, or operational automation. You determine the purpose and means of processing; Anthropic processes on your instruction.

Module 3 — Processor to Processor applies when your organization is itself a processor — for example, a SaaS company building a product on top of the Claude API that processes data on behalf of your clients. In this case, Anthropic acts as your sub-processor.

Decision shortcut: If you process personal data on behalf of your own customers and then send that data to Claude, Module 3 is often the starting point because Anthropic is acting as your sub-processor. If your own business decides why the data is processed and uses Claude for internal workflows involving customer, prospect, or employee data, Module 2 is usually the starting point. Hybrid scenarios — where the same company is controller for some flows and processor for others — require a separate role analysis for each processing activity.

Do I Need to Sign SCCs Separately with Anthropic?

No, not for a direct Anthropic contract. Customers do not normally need to separately negotiate or sign SCC documents with Anthropic. Anthropic incorporates the applicable SCC module into its DPA, and the DPA is incorporated into the commercial terms accepted for the paid service.

This is the most common source of confusion in GDPR procurement for AI tools. Unlike some enterprise vendors who require a separate data transfer agreement signature, Anthropic incorporates SCCs by reference into the standard commercial terms.

The important carve-out is third-party platform use. Anthropic’s own help center states that where Claude is accessed through a third-party platform or service provider, that platform’s terms govern the setup. In practice, this means that AWS Bedrock, Google Vertex AI, or other intermediated deployments require a separate review of that provider’s DPA, SCCs, and transfer architecture.

Your compliance responsibility is to:

1. Identify which module applies to your organization based on your controller or processor role.
2. Document the transfer in your Record of Processing Activities (ROPA) under Article 30 GDPR, recording the transfer mechanism, the applicable SCC module, and destination countries.
3. Carry out a Transfer Impact Assessment — SCCs are a legal mechanism but do not automatically mean the transfer is low-risk. A TIA is required for most EU-US transfers relying on SCCs.

UK and Swiss Addenda

For organizations subject to UK GDPR or Swiss FADP rather than EU GDPR, the standard EU SCCs must be supplemented:

• UK International Data Transfer Addendum (UK IDTA): Anthropic’s DPA defines a UK Addendum based on the ICO-approved international transfer addendum for transfer paths subject to UK GDPR.
• Swiss FADP addendum: Required for data transfers from Switzerland under the Swiss Federal Act on Data Protection. Anthropic provides a Swiss FADP adaptation alongside the EU SCCs.

Organizations subject to UK or Swiss data protection law should confirm with Anthropic that the applicable addendum is incorporated into their commercial terms. This can typically be confirmed through your account representative or the Anthropic customer portal.

Transfer Impact Assessment (TIA) for Anthropic

The 2021 EU Commission SCCs and subsequent European Data Protection Board (EDPB) guidance require organizations to conduct a Transfer Impact Assessment (TIA) when relying on SCCs for international data transfers. A TIA is a documented analysis assessing whether the legal framework in the destination country provides adequate protection in practice, and whether supplementary measures are necessary.

What a TIA for Anthropic transfers should cover:

• The US legal framework applicable to Anthropic’s infrastructure — including potential government access obligations under laws such as FISA Section 702
• Anthropic’s technical and organizational measures for protecting transferred data
• Whether supplementary technical measures — encryption, pseudonymization, or data minimization at the API level — reduce residual risk
• Whether your organization is relying on the Anthropic SCC route or a different transfer basis for a specific importer, and whether that choice is documented consistently across procurement, privacy, and security records

Anthropic’s TIA support: Anthropic states it provides information to support customers’ TIA obligations on request. Enterprise customers should request this documentation through their account representative before deployment and retain the TIA documentation alongside the ROPA entry.

SCCs vs EU Data Residency: Not the Same Thing

SCCs and EU data residency are frequently conflated in procurement conversations — they address different compliance requirements.

Standard Contractual Clauses are a legal transfer mechanism — they authorize the transfer of personal data outside the EEA by contractually imposing EU-equivalent obligations on the recipient. SCCs do not prevent the data from leaving the EU; they govern the conditions under which it can lawfully do so.

EU data residency means that personal data is physically stored and processed on infrastructure within the EEA. Having SCCs in place does not mean your data stays in Europe — it means the transfer, wherever it goes, is legally authorized under GDPR.

For organizations that require EU data residency in addition to the SCC transfer mechanism — for example, those subject to sector-specific data localization rules — the SCCs in Anthropic’s DPA are not sufficient on their own. EU data residency for Claude requires a separate infrastructure configuration. For current options and analysis, see our page on Claude EU hosting.

What Else Do You Need Beyond Anthropic’s SCCs?

The SCCs automatically incorporated into Anthropic’s commercial terms are a necessary but not sufficient basis for GDPR-compliant Claude deployments. A full compliance picture requires:

• Article 28 DPA review: Verify the Anthropic Data Processing Addendum covers your specific workflow, data categories, subprocessors, and retention periods.
• Legal basis for processing: Confirm a valid Article 6 GDPR legal basis — and Article 9 GDPR where special categories of data are involved.
• ROPA documentation: Record the Anthropic processing activity — including the applicable SCC module, destination countries, and transfer mechanism — in your Record of Processing Activities under Article 30 GDPR.
• TIA documentation: Complete and retain a Transfer Impact Assessment for the EU-US transfer path and any subprocessor transfer paths outside the EEA.
• DPIA assessment: Determine whether a Data Protection Impact Assessment under Article 35 GDPR is required given the scale, nature, and risk profile of the processing.
• Subprocessor review: Obtain and review Anthropic’s current subprocessor list at anthropic.com/subprocessors, including the transfer mechanisms applied to each subprocessor operating outside the EEA.

For employee data, co-determination obligations under § 87(1) No. 6 BetrVG may apply independently of the DPA and SCC review — these obligations arise from German labor law and are not resolved by the GDPR contract stack alone.

Compound Law advises businesses, startups, and in-house teams in Germany on GDPR, AI contracts, and data transfer compliance. If you need a full SCC and DPA review for your Anthropic deployment, contact us.

FAQ

What SCCs does Anthropic use?

Anthropic uses EU Commission-approved Standard Contractual Clauses under Article 46(2)(c) GDPR — specifically Module 2 (controller-to-processor) and Module 3 (processor-to-processor). The 2021 EU Commission SCCs apply. They are automatically incorporated into the Anthropic Data Processing Addendum as part of the commercial terms accepted for Claude Enterprise and the Claude API. Customers do not need to separately negotiate or sign SCC documents.

Are Anthropic’s SCCs GDPR compliant?

Yes — Anthropic uses the current 2021 EU Commission SCCs, which are the legally valid transfer mechanism under Article 46(2)(c) GDPR. However, SCCs are a legal authorization for the transfer, not a guarantee of equivalent protection in practice. Following the Schrems II judgment, companies must still carry out a Transfer Impact Assessment and document supplementary measures where needed. If a procurement team relies on another transfer basis for a particular importer, that should be documented separately and not assumed from the Anthropic SCC text alone.

Do I need a Transfer Impact Assessment for Anthropic?

In most cases, yes. The EDPB guidance following Schrems II requires a Transfer Impact Assessment when relying on SCCs for transfers to third countries. For EU-US transfers to Anthropic, the TIA should assess the US legal framework (including FISA Section 702 government access obligations), Anthropic’s technical and organizational measures, and whether supplementary measures are needed. Anthropic provides TIA support documentation on request — request this through your account representative before deployment.

Does Claude Enterprise use SCCs?

Yes. SCCs are automatically incorporated into Anthropic’s commercial terms for both Claude for Work / Enterprise and the Claude API when you contract directly with Anthropic. No separate SCC execution is usually required in that direct setup. UK and Swiss customers should confirm that the applicable UK or Swiss addendum is included. Customers accessing Claude via Amazon Bedrock, Google Vertex AI, or another intermediary should note that the intermediary’s DPA and transfer terms govern those deployments instead.