(c)
22
where a competent supervisory authority does not request the opinion of the Board in the cases
referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64.
In that case, any supervisory authority concerned or the Commission may communicate the
matter to the Board.’
Article 77 of the GDPR, under the heading ‘Right to lodge a complaint with a supervisory authority’,
states:
‘1.
Without prejudice to any other administrative or judicial remedy, every data subject shall have
the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or
her habitual residence, place of work or place of the alleged infringement if the data subject considers
that the processing of personal data relating to him or her infringes this Regulation.
2.
The supervisory authority with which the complaint has been lodged shall inform the
complainant on the progress and the outcome of the complaint including the possibility of a judicial
remedy pursuant to Article 78.’
23
Article 78 of the GDPR, under the heading ‘Right to an effective judicial remedy against a supervisory
authority’, provides, in paragraphs 1 and 2:
‘1.
Without prejudice to any other administrative or non-judicial remedy, each natural or legal
person shall have the right to an effective judicial remedy against a legally binding decision of a
supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have
the right to [an] effective judicial remedy where the supervisory authority which is competent pursuant
to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three
months on the progress or outcome of the complaint lodged pursuant to Article 77.’
24
Article 94 of the GDPR provides:
‘1.
Directive [95/46] is repealed with effect from 25 May 2018.
2.
References to the repealed Directive shall be construed as references to this Regulation.
References to the Working Party on the Protection of Individuals with regard to the Processing of
Personal Data established by Article 29 of Directive [95/46] shall be construed as references to the
European Data Protection Board established by this Regulation.’
25
Pursuant to Article 99 of the GDPR:
‘1.
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union.
2.
It shall apply from 25 May 2018.’
The SCC Decision
26
Recital 11 of the SCC Decision reads as follows:
‘Supervisory authorities of the Member States play a key role in this contractual mechanism in
ensuring that personal data are adequately protected after the transfer. In exceptional cases where data
exporters refuse or are unable to instruct the data importer properly, with an imminent risk of grave
harm to the data subjects, the standard contractual clauses should allow the supervisory authorities to
audit data importers and sub-processors and, where appropriate, take decisions which are binding on
data importers and sub-processors. The supervisory authorities should have the power to prohibit or
suspend a data transfer or a set of transfers based on the standard contractual clauses in those
exceptional cases where it is established that a transfer on contractual basis is likely to have a
substantial adverse effect on the warranties and obligations providing adequate protection for the data
subject.’