What Transfers Can SCCs Be Used For?

ANSWER

SCCs may be used by controllers or processors that are subject to the GDPR to transfer personal data to controllers or processors operating outside the EEA that are not subject to the GDPR.

First, SCCs may be used by controllers and processors in the EEA to transfer data outside the EEA, in particular where the following is planned:

• the transfer of personal data by a controller established in the EEA to a controller or processor established outside the EEA that is not subject to the GDPR;
• the transfer of personal data by a processor established in the EEA to a further processor or to a controller established outside the EEA (on whose behalf the transferring processor processes the data) that is not subject to the GDPR.

Example:

A Czech company uses SCCs to transfer its employees' data to an HR outsourcing service provider in Singapore.

Second, EU data protection rules apply directly in certain situations to the activities of controllers and processors operating outside the EEA, for example because they operate on the EEA market by offering goods or services to individuals in the EEA (for more information, see the guidelines of the European Data Protection Board, available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf).

For this reason, SCCs may be used by controllers and processors operating outside the EEA to transfer data to other controllers and processors operating outside the EEA, in particular where:

• a controller operates outside the EEA but its processing is subject to the GDPR and it intends to transfer data to another controller or processor that also operates outside the EEA but is not subject to the GDPR;

Example:

A travel agency in Thailand is directly subject to the GDPR under Article 3(2) GDPR, because it offers travel packages aimed at European customers (the packages are prepared in languages used in the EEA, tailored to the needs and preferences of European tourists, with the option to pay in euros or another currency used in the EEA, etc.). To arrange accommodation in Thailand, the agency has a standing agreement with a local Thai hotel. The Thai travel agency may use SCCs (Module 1) to disclose the personal data of European tourists to the Thai hotel.