International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller—third country processor (controllers all joint controllers)
Produced in partnership with the Data Protection Intelligence Group
International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller—third country processor (controllers all joint controllers)

The following Information Law guidance note Produced in partnership with the Data Protection Intelligence Group provides comprehensive and up to date legal information covering:

  • International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller—third country processor (controllers all joint controllers)
  • Purpose of this Practice Note
  • This scenario
  • Steps to be taken by EEA organisations
  • Important assumptions underpinning this guidance
  • Consider other Transfer Mechanisms
  • Other scenarios in this series

STOP PRESS: On 16 July 2020, the Court of Justice ruled in Facebook Ireland and Schrems, Case C-311/18 that the Privacy Shield was invalid. It also made further rulings with implications for the use of standard contractual clauses (also known as SCCs or Model Clauses) and other appropriate safeguards (including Binding Corporate Rules (BCRs)) for transfers of personal data to third countries. This Practice Note will be updated in due course. For further guidance meanwhile, see News Analysis: Privacy Shield invalidated and adequacy of SCCs must be specifically assessed (Facebook Ireland and Schrems).

Purpose of this Practice Note

As explained in Practice Note: International transfers of personal data under the GDPR, Chapter V of the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) imposes restrictions on transfers of personal data outside the EEA (EEA Transfer Restrictions).

This Practice Note illustrates how standard contractual clauses pre-approved by the European Commission (also known as Model Clauses and referred to in this Practice Note as ‘SCCs’ for short) may be used to comply with EEA Transfer Restrictions.

In the scenario below, it is anticipated that personal data will be transferred as follows:

  1. from an EEA controller based in France to a second EEA controller based in Germany

  2. then, from the German controller to a third country controller based in China

  3. then, from the Chinese