International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller—third country processor (controllers all joint controllers)
Produced in partnership with the Data Protection Intelligence Group
International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller—third country processor (controllers all joint controllers)

The following Information Law guidance note Produced in partnership with the Data Protection Intelligence Group provides comprehensive and up to date legal information covering:

  • International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country controller—third country processor (controllers all joint controllers)
  • Purpose of this Practice Note
  • This scenario
  • Steps to be taken by EEA organisations
  • Important assumptions underpinning this guidance
  • Consider other Transfer Mechanisms
  • Other scenarios in this series

Purpose of this Practice Note

As explained in Practice Note: International transfers of personal data under the GDPR, Chapter V of the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) imposes restrictions on transfers of personal data outside the EEA (EEA Transfer Restrictions).

This Practice Note illustrates how standard contractual clauses pre-approved by the European Commission (also known as Model Clauses and referred to in this Practice Note as ‘SCCs’ for short) may be used to comply with EEA Transfer Restrictions.

In the scenario below, it is anticipated that personal data will be transferred as follows:

  1. from an EEA controller based in France to a second EEA controller based in Germany

  2. then, from the German controller to a third country controller based in China

  3. then, from the Chinese controller to another third country processor based in Australia

In this scenario, all the controllers are joint controllers rather than independent controllers. For further guidance on the meaning of those terms, see Practice Note: Determining roles under the GDPR in commercial transactions between businesses (processor, independent controller or joint controller).

For the purposes of illustration, this scenario focuses solely on transfers of the data in one direction out of the EEA; return transfers to any third country jurisdiction (if any) are not addressed.

For further guidance on EEA Transfer Restrictions, when they apply and the mechanisms