What Modules Are Available and How Should the Appropriate Module Be Selected?

ANSWER

The SCCs combine general clauses that apply in all cases (e.g., Section I) with four modules tailored to different scenarios involving transfers of personal data outside the EEA. The parties must select the module that corresponds to the specific factual situation, particularly in light of their respective roles, i.e., whether they act as controllers, processors, or sub-processors (for the meaning of these concepts, see also the guidelines of the European Data Protection Board, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en).

Module 1 applies to transfers of personal data from a controller (the data exporter) to another controller (the data importer).

Example:

A Swedish travel agency has entered into a framework agreement with a hotel chain to arrange accommodation for European tourists worldwide. To transfer guest data to the hotel chain's reservation center (the data importer) using SCCs, the Swedish agency (the data exporter) should use Module 1.

Module 2 applies to transfers of personal data from a controller (the data exporter) to a processor (the data importer).

Example:

A company in the Netherlands outsources HR services to a provider operating in India. The Dutch company should use Module 2 to transfer its employees' data to the Indian provider (the data importer) based on SCCs.

Module 3 applies to transfers of personal data from a processor (the data exporter) to a sub-processor (the data importer).

Example:

A hospital in Germany sends blood samples to a laboratory in Poland for analysis. The Polish laboratory outsources part of its services to an Indonesian institute specializing in genetic analysis and uses SCCs for this purpose. The Polish laboratory (the data exporter) may use Module 3 to transfer the data to the Indonesian institute (the data importer).

Module 4 applies to transfers of personal data from a processor (the data exporter) to a controller (the data importer).

Example 1:

A Moroccan company uses cloud services provided by a Luxembourg company to manage its customer database. SCCs (Module 4) may be used by the Luxembourg company (the data exporter) to transfer data from its server in Luxembourg (back) to its client in Morocco (the data importer).

Example 2:

A university in Tunisia hires a research institute in Belgium to conduct a survey. The Belgian institute collects and processes data within the EU and subsequently transfers the data to the Tunisian university. SCCs (Module 4) may be used by the Belgian institute (the data exporter) to transfer the data to the university in Tunisia (the data importer).