I Have Been Informed That My Data Was Transferred Outside the EEA Based on SCCs. How Can I Obtain More Information About the Transfer, My Rights, and the Safeguards in Place? Can I Receive a Copy of the SCCs?

ANSWER

Under the SCCs, the parties are required to provide, free of charge and upon request, a copy of the clauses as they have been applied.

This includes:

• the selected modules and options;
• the completed and signed annexes, in which the parties specify details regarding the data transfer; and
• the specific measures implemented to protect the data while it is being processed by the data importer.

A general reference to the SCCs adopted by the European Commission (for example, by providing a link to the Commission's website) is not sufficient (see Module 1, Clause 8.2; Module 2, Clause 8.3; and Module 4, Clause 8.3 of the SCCs).

When providing a copy of the clauses, the parties may redact only information that constitutes trade secrets or other confidential information (e.g., personal data relating to other individuals). In such cases, they must explain why the information has been omitted.

If the remaining text is too difficult to understand, the parties must provide a clear and plain-language summary of the redacted sections (see Module 1, Clause 8.2; Module 2, Clause 8.3; and Module 4, Clause 8.3 of the SCCs).

Right to Information Under the GDPR and SCCs

Under both the GDPR and the SCCs, you have the right to receive information from the entity responsible for processing your personal data (i.e., the controller).

This includes information about:

• the data being transferred;
• the purpose of the processing;
• the recipients to whom your data has been or will be disclosed; and
• your right to lodge a complaint with a supervisory authority.

In particular, you may request information about the processing of your data, including international transfers, from the data exporter acting as the controller under Article 15 GDPR.

Where the Data Importer Is a Separate Controller

If the data has been transferred by a controller to an entity outside the EEA that uses the data for its own purposes (i.e., as a separate controller), the data exporter (controller) will only be able to provide information about its own processing activities, including the fact that the data was transferred outside the EEA.

In such cases, you should exercise your right of access directly with the controller outside the EEA (the data importer), based on the SCCs concluded between the parties (Module 1, Clause 10 of the SCCs).

If It Is Unclear Who the Controller Is

Where multiple entities are involved in the processing and it is unclear who the controller is, you may contact:

• the entity that transferred the personal data; or
• the non-European entity that received the personal data.

If the entity you contact cannot answer your request directly because it acts only as a service provider (i.e., on behalf of another entity), the SCCs require both parties to cooperate in handling your request effectively and without undue delay.