Ch 17.2.4 - Transfer mechanisms
Cloud: international data transfers
Cloud almost always involves international transfers, and the cloud customer (exporter) is responsible for compliance. Options to provide appropriate safeguards: geographically limiting the cloud, the 2021 SCCs (module two), tailored transfer agreements, processor BCRs, codes/certification, or an Article 49 derogation. After Schrems II, the exporter must assess the destination's local laws and add safeguards where needed. Consent under Article 49 is rarely realistic.
| Mechanism | Key point / drawback |
|---|---|
| Geographically limit the cloud | Restrict to EEA / adequate countries - but may defeat the cloud's purpose and raise cost |
| 2021 SCCs (model clauses) | Cloud usually needs module two; clauses can't be altered, must be updated as processing evolves, and (per 2022 FAQ) are NOT appropriate where the importer is directly subject to the GDPR |
| Tailored transfer agreements | More flexible but costlier, slower, and must be approved by regulators |
| Processor BCRs | Give the supplier 'safe processor' status once approved |
| Codes of conduct / certification | New GDPR routes to demonstrate adequacy |
| Article 49 derogation (consent) | Interpreted restrictively; valid consent is hard, so rarely realistic in commercial clouds |
Schrems II step
SCCs may not be enough on their own. After Schrems II, the exporter must assess the protection the clauses give in practice in light of the importer's local laws and, where necessary, add technical or organisational safeguards before transferring.
Key terms - quick answers
What is “SCCs”?
Standard Contractual Clauses - Commission-approved model contract clauses (2021 version) for transfers to third countries; cloud usually needs module two.
What is “Schrems II”?
CJEU judgment requiring the exporter to assess whether SCCs offer adequate protection in light of the importer's local laws, and add safeguards if needed.
What is “Processor BCRs”?
Binding Corporate Rules for processors - once approved, give the supplier 'safe processor' status for customer data transfers.
What is “Article 49 derogation”?
Exceptions allowing transfers without standard safeguards (e.g. explicit consent); interpreted restrictively by the EDPB.