International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country processor—third country controller
Produced in partnership with the Data Protection Intelligence Group
International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country processor—third country controller

The following Information Law practice note produced in partnership with the Data Protection Intelligence Group provides comprehensive and up to date legal information covering:

  • International personal data transfers from the EEA using SCCs—EEA controller 1—EEA controller 2—third country processor—third country controller
  • Purpose of this Practice Note
  • This scenario
  • Steps to be taken by EEA organisations
  • Important assumptions underpinning this guidance
  • Consider other Transfer Mechanisms
  • Other scenarios in this series

Purpose of this Practice Note

As explained in Practice Note: UK GDPR and EU GDPR—transfers of personal data internationally and to international organisations, Chapter V of the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) imposes restrictions on transfers of personal data outside the EEA (EEA Transfer Restrictions).

This Practice Note illustrates how standard contractual clauses pre-approved by the European Commission (also known as Model Clauses and referred to in this Practice Note as ‘SCCs’ for short) may be used to comply with EEA Transfer Restrictions.

In the scenario below, it is anticipated that personal data will be transferred as follows:

  1. from an EEA controller based in France to a second EEA controller based in Germany

  2. then, from the German controller to a third country processor based in China

  3. then, from the Chinese processor to a third country controller based in Australia

For the purposes of illustration, this scenario focuses solely on transfers of the data in one direction out of the EEA; return transfers to any third country jurisdiction (if any) are not addressed.

For further guidance on EEA Transfer Restrictions, when they apply and the mechanisms (Transfer Mechanisms) available to permit lawful transfers of personal data, see Practice Note: EU GDPR—transfers of personal data internationally and to international organisations. For further guidance on the different types of SCCs available and on using SCCs, see the subsection:

Popular documents