therein by way of example are, in any event, activities of the State or of State authorities and are
unrelated to fields in which individuals are active (see, by analogy, as regards Article 3(2) of Directive
95/46, judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 38 and the
case-law cited).
86
The possibility that the personal data transferred between two economic operators for commercial
purposes might undergo, at the time of the transfer or thereafter, processing for the purposes of public
security, defence and State security by the authorities of that third country cannot remove that transfer
from the scope of the GDPR.
87
Indeed, by expressly requiring the Commission, when assessing the adequacy of the level of
protection afforded by a third country, to take account, inter alia, of ‘relevant legislation, both general
and sectoral, including concerning public security, defence, national security and criminal law and the
access of public authorities to personal data, as well as the implementation of such legislation’, it is
patent from the very wording of Article 45(2)(a) of that regulation that no processing by a third country
of personal data for the purposes of public security, defence and State security excludes the transfer at
issue from the application of the regulation.
88
It follows that such a transfer cannot fall outside the scope of the GDPR on the ground that the data at
issue is liable to be processed, at the time of that transfer or thereafter, by the authorities of the third
country concerned, for the purposes of public security, defence and State security.
89
Therefore, the answer to the first question is that Article 2(1) and (2) of the GDPR must be interpreted
as meaning that that regulation applies to the transfer of personal data for commercial purposes by an
economic operator established in a Member State to another economic operator established in a third
country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be
processed by the authorities of the third country in question for the purposes of public security, defence
and State security.
The second, third and sixth questions
90
By its second, third and sixth questions, the referring court seeks clarification from the Court, in
essence, on the level of protection required by Article 46(1) and Article 46(2)(c) of the GDPR in
respect of a transfer of personal data to a third country based on standard data protection clauses. In
particular, the referring court asks the Court to specify which factors need to be taken into
consideration for the purpose of determining whether that level of protection is ensured in the context
of such a transfer.
91
As regards the level of protection required, it follows from a combined reading of those provisions
that, in the absence of an adequacy decision under Article 45(3) of that regulation, a controller or
processor may transfer personal data to a third country only if the controller or processor has provided
‘appropriate safeguards’, and on condition that ‘enforceable data subject rights and effective legal
remedies for data subjects’ are available, such safeguards being able to be provided, inter alia, by the
standard data protection clauses adopted by the Commission.
92
Although Article 46 of the GDPR does not specify the nature of the requirements which flow from that
reference to ‘appropriate safeguards’, ‘enforceable rights’ and ‘effective legal remedies’, it should be
noted that that article appears in Chapter V of that regulation and, accordingly, must be read in the light
of Article 44 of that regulation, entitled ‘General principle for transfers’, which lays down that ‘all
provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural
persons guaranteed by [that regulation] is not undermined’. That level of protection must therefore be
guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data
to a third country is carried out.
93
As the Advocate General stated in point 117 of his Opinion, the provisions of Chapter V of the GDPR
are intended to ensure the continuity of that high level of protection where personal data is transferred
to a third country, in accordance with the objective set out in recital 6 thereof.