operator established in a third country, falls, as is apparent from the answer to the first question, within
the scope of the GDPR and, second, the purpose of that regulation is, inter alia, as is apparent from
recital 10 thereof, to ensure a consistent and high level of protection of natural persons within the
European Union and, to that end, to ensure a consistent and homogeneous application of the rules for
the protection of the fundamental rights and freedoms of such natural persons with regard to the
processing of personal data throughout the European Union, the level of protection of fundamental
rights required by Article 46(1) of that regulation must be determined on the basis of the provisions of
that regulation, read in the light of the fundamental rights enshrined in the Charter.
102
The referring court also seeks to ascertain what factors should be taken into consideration for the
purposes of determining the adequacy of the level of protection where personal data is transferred to a
third country pursuant to standard data protection clauses adopted under Article 46(2)(c) of the GDPR.
103
In that regard, although that provision does not list the various factors which must be taken into
consideration for the purposes of assessing the adequacy of the level of protection to be observed in
such a transfer, Article 46(1) of that regulation states that data subjects must be afforded appropriate
safeguards, enforceable rights and effective legal remedies.
104
The assessment required for that purpose in the context of such a transfer must, in particular, take into
consideration both the contractual clauses agreed between the controller or processor established in the
European Union and the recipient of the transfer established in the third country concerned and, as
regards any access by the public authorities of that third country to the personal data transferred, the
relevant aspects of the legal system of that third country. As regards the latter, the factors to be taken
into consideration in the context of Article 46 of that regulation correspond to those set out, in a nonexhaustive manner, in Article 45(2) of that regulation.
105
Therefore, the answer to the second, third and sixth questions is that Article 46(1) and Article 46(2)(c)
of the GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and
effective legal remedies required by those provisions must ensure that data subjects whose personal
data are transferred to a third country pursuant to standard data protection clauses are afforded a level
of protection essentially equivalent to that guaranteed within the European Union by that regulation,
read in the light of the Charter. To that end, the assessment of the level of protection afforded in the
context of such a transfer must, in particular, take into consideration both the contractual clauses
agreed between the controller or processor established in the European Union and the recipient of the
transfer established in the third country concerned and, as regards any access by the public authorities
of that third country to the personal data transferred, the relevant aspects of the legal system of that
third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.
The eighth question
106
By its eighth question, the referring court wishes to know, in essence, whether Article 58(2)(f) and (j)
of the GDPR must be interpreted as meaning that the competent supervisory authority is required to
suspend or prohibit a transfer of personal data to a third country pursuant to standard data protection
clauses adopted by the Commission, if, in the view of that supervisory authority, those clauses are not
or cannot be complied with in that third country and the protection of the data transferred that is
required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be
ensured, or as meaning that the exercise of those powers is limited to exceptional cases.
107
In accordance with Article 8(3) of the Charter and Article 51(1) and Article 57(1)(a) of the GDPR, the
national supervisory authorities are responsible for monitoring compliance with the EU rules
concerning the protection of natural persons with regard to the processing of personal data. Each of
those authorities is therefore vested with the power to check whether a transfer of personal data from
its own Member State to a third country complies with the requirements laid down in that regulation
(see, by analogy, as regards Article 28 of Directive 95/46, judgment of 6 October 2015, Schrems,
C‑362/14, EU:C:2015:650, paragraph 47).
108
It follows from those provisions that the supervisory authorities’ primary responsibility is to monitor
the application of the GDPR and to ensure its enforcement. The exercise of that responsibility is of
particular importance where personal data is transferred to a third country since, as is clear from