the standard data protection clauses provided for in that decision do not bind the supervisory
authorities of those third countries.
124 Article 1 of the SCC Decision provides that the standard data protection clauses set out in its annex are
considered to offer adequate safeguards with respect to the protection of the privacy and fundamental
rights and freedoms of individuals in accordance with the requirements of Article 26(2) of Directive
95/46. The latter provision was, in essence, reproduced in Article 46(1) and Article 46(2)(c) of the
GDPR.
125
However, although those clauses are binding on a controller established in the European Union and the
recipient of the transfer of personal data established in a third country where they have concluded a
contract incorporating those clauses, it is common ground that those clauses are not capable of binding
the authorities of that third country, since they are not party to the contract.
126
Therefore, although there are situations in which, depending on the law and practices in force in the
third country concerned, the recipient of such a transfer is in a position to guarantee the necessary
protection of the data solely on the basis of standard data protection clauses, there are others in which
the content of those standard clauses might not constitute a sufficient means of ensuring, in practice,
the effective protection of personal data transferred to the third country concerned. That is the case, in
particular, where the law of that third country allows its public authorities to interfere with the rights of
the data subjects to which that data relates.
127
Thus, the question arises whether a Commission decision concerning standard data protection clauses,
adopted pursuant to Article 46(2)(c) of the GDPR, is invalid in the absence, in that decision, of
guarantees which can be enforced against the public authorities of the third countries to which personal
data is or could be transferred pursuant to those clauses.
128
Article 46(1) of the GDPR provides that, in the absence of an adequacy decision, a controller or
processor may transfer personal data to a third country only if the controller or processor has provided
appropriate safeguards, and on condition that enforceable data subject rights and effective legal
remedies for data subjects are available. According to Article 46(2)(c) of the GDPR, those safeguards
may be provided by standard data protection clauses drawn up by the Commission. However, those
provisions do not state that all safeguards must necessarily be provided for in a Commission decision
such as the SCC Decision.
129
It should be noted in that regard that such a standard clauses decision differs from an adequacy
decision adopted pursuant to Article 45(3) of the GDPR, which seeks, following an examination of the
legislation of the third country concerned taking into account, inter alia, the relevant legislation on
national security and public authorities’ access to personal data, to find with binding effect that a third
country, a territory or one or more specified sectors within that third country ensures an adequate level
of protection and that the access of that third country’s public authorities to such data does not
therefore impede transfers of such personal data to the third country. Such an adequacy decision can
therefore be adopted by the Commission only if it has found that the third country’s relevant legislation
in that field does in fact provide all the necessary guarantees from which it can be concluded that that
legislation ensures an adequate level of protection.
130
By contrast, in the case of a Commission decision adopting standard data protection clauses, such as
the SCC Decision, in so far as such a decision does not refer to a third country, a territory or one or
more specific sectors in a third country, it cannot be inferred from Article 46(1) and Article 46(2)(c) of
the GDPR that the Commission is required, before adopting such a decision, to assess the adequacy of
the level of protection ensured by the third countries to which personal data could be transferred
pursuant to such clauses.
131
In that regard, it must be borne in mind that, according to Article 46(1) of the GDPR, in the absence of
a Commission adequacy decision, it is for the controller or processor established in the European
Union to provide, inter alia, appropriate safeguards. Recitals 108 and 114 of the GDPR confirm that,
where the Commission has not adopted a decision on the adequacy of the level of data protection in a
third country, the controller or, where relevant, the processor ‘should take measures to compensate for
the lack of data protection in a third country by way of appropriate safeguards for the data subject’ and