recital 116 of that regulation, ‘when personal data moves across borders outside the Union it may put at
increased risk the ability of natural persons to exercise data protection rights in particular to protect
themselves from the unlawful use or disclosure of that information’. In such cases, as is stated in that
recital, ‘supervisory authorities may find that they are unable to pursue complaints or conduct
investigations relating to the activities outside their borders’.
109
In addition, under Article 57(1)(f) of the GDPR, each supervisory authority is required on its territory
to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is
entitled to lodge where that data subject considers that the processing of his or her personal data
infringes the regulation, and is required to examine the nature of that complaint as necessary. The
supervisory authority must handle such a complaint with all due diligence (see, by analogy, as regards
Article 25(6) of Directive 95/46, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650,
paragraph 63).
110
Article 78(1) and (2) of the GDPR recognises the right of each person to an effective judicial remedy,
in particular, where the supervisory authority fails to deal with his or her complaint. Recital 141 of that
regulation also refers to that ‘right to an effective judicial remedy in accordance with Article 47 of the
Charter’ in circumstances where that supervisory authority ‘does not act where such action is necessary
to protect the rights of the data subject’.
111
In order to handle complaints lodged, Article 58(1) of the GDPR confers extensive investigative
powers on each supervisory authority. If a supervisory authority takes the view, following an
investigation, that a data subject whose personal data have been transferred to a third country is not
afforded an adequate level of protection in that country, it is required, under EU law, to take
appropriate action in order to remedy any findings of inadequacy, irrespective of the reason for, or
nature of, that inadequacy. To that effect, Article 58(2) of that regulation lists the various corrective
powers which the supervisory authority may adopt.
112
Although the supervisory authority must determine which action is appropriate and necessary and take
into consideration all the circumstances of the transfer of personal data in question in that
determination, the supervisory authority is nevertheless required to execute its responsibility for
ensuring that the GDPR is fully enforced with all due diligence.
113
In that regard, as the Advocate General also stated in point 148 of his Opinion, the supervisory
authority is required, under Article 58(2)(f) and (j) of that regulation, to suspend or prohibit a transfer
of personal data to a third country if, in its view, in the light of all the circumstances of that transfer, the
standard data protection clauses are not or cannot be complied with in that third country and the
protection of the data transferred that is required by EU law cannot be ensured by other means, where
the controller or a processor has not itself suspended or put an end to the transfer.
114
The interpretation in the previous paragraph is not undermined by the Commissioner’s reasoning that
Article 4 of Decision 2010/87, in its version prior to the entry into force of Implementing Decision
2016/2297, read in the light of recital 11 of that decision, confined the power of supervisory authorities
to suspend or prohibit a transfer of personal data to a third country to certain exceptional
circumstances. As amended by Implementing Decision 2016/2297, Article 4 of the SCC Decision
refers to the power of the supervisory authorities, now under Article 58(2)(f) and (j) of the GDPR, to
suspend or ban such a transfer, without confining the exercise of that power to exceptional
circumstances.
115
In any event, the implementing power which Article 46(2)(c) of the GDPR grants to the Commission
for the purposes of adopting standard data protection clauses does not confer upon it competence to
restrict the national supervisory authorities’ powers on the basis of Article 58(2) of that regulation (see,
by analogy, as regards Article 25(6) and Article 28 of Directive 95/46, judgment of 6 October 2015,
Schrems, C‑362/14, EU:C:2015:650, paragraphs 102 and 103). Moreover, as stated in recital 5 of
Implementing Decision 2016/2297, the SCC Decision ‘does not prevent a [supervisory authority] from
exercising its powers to oversee data flows, including the power to suspend or ban a transfer of
personal data when it determines that the transfer is carried out in violation of EU or national data
protection law’.