International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller 1—third country controller 2
Produced in partnership with the Data Protection Intelligence Group
International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller 1—third country controller 2

The following Information Law guidance note Produced in partnership with the Data Protection Intelligence Group provides comprehensive and up to date legal information covering:

  • International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller 1—third country controller 2
  • Purpose of this Practice Note
  • This scenario
  • Steps to be taken by EEA organisations
  • Important assumptions underpinning this guidance
  • Consider other Transfer Mechanisms
  • Other scenarios in this series

Purpose of this Practice Note

As explained in Practice Note: International transfers of personal data under the GDPR, Chapter V of the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) imposes restrictions on transfers of personal data outside the EEA (EEA Transfer Restrictions).

This Practice Note illustrates how standard contractual clauses pre-approved by the European Commission (also known as Model Clauses and referred to in this Practice Note as ‘SCCs’ for short) may be used to comply with EEA Transfer Restrictions.

In the scenario below, it is anticipated that personal data will be transferred as follows:

  1. from an EEA controller based in France to a second EEA controller based in Germany

  2. then, from the German controller to a third country controller based in China

  3. then, from the Chinese controller to another third county controller based in Australia

For the purposes of illustration, this scenario focuses solely on transfers of the data in one direction out of the EEA; return transfers to any third country jurisdiction (if any) are not addressed.

For further guidance on EEA Transfer Restrictions, when they apply and the mechanisms (Transfer Mechanisms) available to permit lawful transfers of personal data, see Practice Note: International transfers of personal data under the GDPR. For further guidance on the different types of SCCs available and on using SCCs, see the subsection: Standard contractual