38
Clause 8 in that annex, under the heading ‘Cooperation with supervisory authorities’, stipulates, in
paragraph 2 thereof:
‘The parties agree that the supervisory authority has the right to conduct an audit of the data importer,
and of any sub-processor, which has the same scope and is subject to the same conditions as would
apply to an audit of the data exporter under the applicable data protection law.’
39
Clause 9 in that annex, under the heading ‘Governing law’, specifies that the clauses are to be
governed by the law of the Member State in which the data exporter is established.
40
According to Clause 11 in that annex, under the heading ‘Sub-processing’:
‘1.
The data importer shall not subcontract any of its processing operations performed on behalf of
the data exporter under the Clauses without the prior written consent of the data exporter. Where the
data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it
shall do so only by way of a written agreement with the sub-processor which imposes the same
obligations on the sub-processor as are imposed on the data importer under the Clauses …
2.
The prior written contract between the data importer and the sub-processor shall also provide for
a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to
bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the
data importer because they have factually disappeared or have ceased to exist in law or have become
insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data
importer by contract or by operation of law. Such third-party liability of the sub-processor shall be
limited to its own processing operations under the Clauses.
…’
41
Clause 12 in the annex to the SCC Decision, under the heading ‘Obligation after the termination of
personal data-processing services’, states, in paragraph 1 thereof:
‘The parties agree that on the termination of the provision of data-processing services, the data
importer and the sub-processor shall, at the choice of the data exporter, return all the personal data
transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify
to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it
from returning or destroying all or part of the personal data transferred. …’
The Privacy Shield Decision
42
In the judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650), the Court declared
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy
principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000
L 215, p. 7), in which the Commission had found that that third country ensured an adequate level of
protection, invalid.
43
Following the delivery of that judgment, the Commission adopted the Privacy Shield Decision, after
having, for the purposes of adopting that decision, assessed the US legislation, as stated in recital 65 of
the decision:
‘The Commission has assessed the limitations and safeguards available in U.S. law as regards access
and use of personal data transferred under the EU-U.S. Privacy Shield by U.S. public authorities for
national security, law enforcement and other public interest purposes. In addition, the U.S. government,
through its Office of the Director of National Intelligence (ODNI) …, has provided the Commission
with detailed representations and commitments that are contained in Annex VI to this decision. By
letter signed by the Secretary of State and attached as Annex III to this decision the U.S. government
has also committed to create a new oversight mechanism for national security interference, the Privacy
Shield Ombudsperson, who is independent from the Intelligence Community. Finally, a representation
from the U.S. Department of Justice, contained in Annex VII to this decision, describes the limitations