ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Standard Contractual Clauses (SCC)

For Modules 1, 2, and 3: Must the Data Importer Take Specific Steps When Disclosing the Received Personal Data to Third Parties?

ANSWER

As a general rule, where the data importer further discloses personal data received under the SCCs to another entity, either within or outside the country in which it is established, it must ensure that equivalent safeguards continue to apply to the data (see Module 1, Clause 8.7; Module 2, Clause 8.8; and Module 3, Clause 8.8).

This can be achieved in various ways, for example by:

  • having the third party accede to the SCCs; or
  • entering into a separate agreement with the third party that guarantees a level of protection equivalent to that provided by the SCCs.

In certain specific situations, the data importer may further disclose the data even where it is not possible or appropriate to establish contractual data protection safeguards with the third party.

In particular, it may be necessary for the data importer to disclose the data in order to protect the vital interests of the data subject. For example, a hotel chain may need to disclose a guest's data to a local hospital in the event of a medical emergency.

The same applies where the data importer must disclose certain information as part of a domestic administrative or judicial proceeding. For example, a pharmaceutical company may need to provide data to a national regulatory authority in order to obtain approval for its products.

Additional Information for Module 1 (Controller-to-Controller)

Where none of the above grounds applies, the data importer may also rely on the explicit consent of the data subjects for the onward transfer of data to third parties (see Module 1, Clause 8.7(vi)).

In such cases, the data importer must ensure that the data subject has been informed of:

  • the purpose(s) of the transfer;
  • the identity of the third party; and
  • the possible risks resulting from the absence of data protection safeguards.

The data importer must also inform the data exporter about the onward transfer based on consent.

The data exporter may request a copy of the information that was provided to the data subject.

The above answer is based on an official document of the European Commission.

You can review it at: https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf

A translated version of this document is also available on our blog under the title: "Standard Contractual Clauses (SCCs) – Questions and Answers".

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

RODO Migawki

Bezpłatny e-learning dla pracowników

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Modules 1–3 SCC: disclosing data to third parties | ODO 24 | ODO 24