Ch 12.6 - Appropriate safeguards & SCCs

Providing adequate safeguards - SCCs and the transfer impact assessment

Where there is no adequacy decision, controllers/processors must use appropriate safeguards. The GDPR lists several: binding instruments between public bodies, BCRs, standard contractual clauses|SCCs, approved codes of conduct and certification mechanisms, and ad-hoc clauses. The most common are SCCs; the 2021 modular SCCs address Schrems II, which requires a transfer impact assessment and possibly supplementary measures.

A legally binding and enforceable instrument between public authorities or bodies
BCRs|Binding corporate rules (Article 47)
Standard data protection clauses (standard contractual clauses|SCCs) adopted by the Commission
Standard clauses adopted by a supervisory authority and approved by the Commission
An approved codes of conduct|code of conduct (Article 40) with binding, enforceable commitments
An approved certification mechanisms|certification mechanism (Article 42) with binding, enforceable commitments
Ad-hoc contractual clauses specifically approved by the competent supervisory authority

SCCs (or 'model clauses') are the traditional, most-used route. In Schrems II (16 July 2020) the CJEU held SCCs remain valid, but the parties must assess the third country's law on public-authority access and, if needed, add supplementary measures. The Commission adopted revised, modular SCCs on 4 June 2021.

The four 2021 SCC modules
Module	Transfer scenario
Module 1	Controller-to-controller
Module 2	Controller-to-processor
Module 3	Processor-to-processor
Module 4	Processor-to-controller

EDPB transfer impact assessment - six steps (Recommendations 01/2020)
Step	Action
1	Know your transfers
2	Identify the transfer tools you rely on
3	Assess whether the Article 46 tool is effective in light of all circumstances (identify third-country access laws)
4	Adopt supplementary measures
5	Take procedural steps if effective supplementary measures are identified
6	Re-evaluate at appropriate intervals

Schrems II didn't kill SCCs

Common exam trap: Schrems II invalidated Privacy Shield but UPHELD SCCs. It only added the duty to assess the destination country and supplement where needed. For UK exports, the ICO's IDTA and Addendum came into force 21 March 2022.

Key terms - quick answers

What is “Standard contractual clauses”?

Model data-protection clauses adopted by the Commission that bind exporter and importer to EU-standard obligations; the most common transfer safeguard.

What is “Transfer impact assessment”?

The six-step assessment (per EDPB Recommendations 01/2020) of whether a transfer tool is effective in light of third-country law, and whether supplementary measures are needed.

What is “Supplementary measures”?

Additional safeguards (e.g. technical, contractual, organisational) added to SCCs where third-country law would otherwise undermine protection.

What is “Codes of conduct”?

Approved codes (Article 40) usable as a transfer mechanism with binding, enforceable commitments by the importer.

← The United States - Privacy Shield, Schrems II and the Data Privacy Framework Binding corporate rules (BCRs) for intra-group transfers →