that ‘those safeguards should ensure compliance with data protection requirements and the rights of the
data subjects appropriate to processing within the Union, including the availability of enforceable data
subject rights and of effective legal remedies … in the Union or in a third country’.
132
Since by their inherently contractual nature standard data protection clauses cannot bind the public
authorities of third countries, as is clear from paragraph 125 above, but that Article 44, Article 46(1)
and Article 46(2)(c) of the GDPR, interpreted in the light of Articles 7, 8 and 47 of the Charter, require
that the level of protection of natural persons guaranteed by that regulation is not undermined, it may
prove necessary to supplement the guarantees contained in those standard data protection clauses. In
that regard, recital 109 of the regulation states that ‘the possibility for the controller … to use standard
data-protection clauses adopted by the Commission … should [not] prevent [it] … from adding other
clauses or additional safeguards’ and states, in particular, that the controller ‘should be encouraged to
provide additional safeguards … that supplement standard [data] protection clauses’.
133
It follows that the standard data protection clauses adopted by the Commission on the basis of
Article 46(2)(c) of the GDPR are solely intended to provide contractual guarantees that apply
uniformly in all third countries to controllers and processors established in the European Union and,
consequently, independently of the level of protection guaranteed in each third country. In so far as
those standard data protection clauses cannot, having regard to their very nature, provide guarantees
beyond a contractual obligation to ensure compliance with the level of protection required under EU
law, they may require, depending on the prevailing position in a particular third country, the adoption
of supplementary measures by the controller in order to ensure compliance with that level of
protection.
134
In that regard, as the Advocate General stated in point 126 of his Opinion, the contractual mechanism
provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or
her subcontractor established in the European Union and, in the alternative, of the competent
supervisory authority. It is therefore, above all, for that controller or processor to verify, on a case-bycase basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the
third country of destination ensures adequate protection, under EU law, of personal data transferred
pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to
those offered by those clauses.
135
Where the controller or a processor established in the European Union is not able to take adequate
additional measures to guarantee such protection, the controller or processor or, failing that, the
competent supervisory authority, are required to suspend or end the transfer of personal data to the
third country concerned. That is the case, in particular, where the law of that third country imposes on
the recipient of personal data from the European Union obligations which are contrary to those clauses
and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection
against access by the public authorities of that third country to that data.
136
Therefore, the mere fact that standard data protection clauses in a Commission decision adopted
pursuant to Article 46(2)(c) of the GDPR, such as those in the annex to the SCC Decision, do not bind
the authorities of third countries to which personal data may be transferred cannot affect the validity of
that decision.
137
That validity depends, however, on whether, in accordance with the requirement of Article 46(1) and
Article 46(2)(c) of the GDPR, interpreted in the light of Articles 7, 8 and 47 of the Charter, such a
standard clauses decision incorporates effective mechanisms that make it possible, in practice, to
ensure compliance with the level of protection required by EU law and that transfers of personal data
pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such
clauses or it being impossible to honour them.
138
As regards the guarantees contained in the standard data protection clauses in the annex to the SCC
Decision, it is clear from Clause 4(a) and (b), Clause 5(a), Clause 9 and Clause 11(1) thereof that a data
controller established in the European Union, the recipient of the personal data and any processor
thereof mutually undertake to ensure that the processing of that data, including the transfer thereof, has
been and will continue to be carried out in accordance with ‘the applicable data protection law’,