Can SCCs Be Used to Transfer Data to Controllers or Processors Whose Processing Activities Are Directly Subject to the GDPR?
ANSWER
No (see Article 1 of Commission Implementing Decision (EU) 2021/914).1
The SCCs provide a comprehensive data protection framework designed to ensure continuity of protection when personal data is transferred to data importers that are not directly subject to the GDPR.
The SCCs are not intended for data importers whose processing activities are directly subject to the GDPR (pursuant to Article 3 GDPR), because in such cases the SCCs would duplicate and partially modify obligations that already apply directly under the GDPR.
The European Commission is currently working on an additional set of SCCs for this scenario, namely transfers of personal data between controllers and processors that are themselves directly subject to the GDPR.
The above answer is based on an official document of the European Commission.
You can review it at: https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf
A translated version of this document is also available on our blog under the title: "Standard Contractual Clauses (SCCs) – Questions and Answers".
1 Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
