namely, according to the definition set out in Article 3(f) of that decision, ‘the legislation protecting the
fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to
the processing of personal data applicable to a data controller in the Member State in which the data
exporter is established’. The provisions of the GDPR, read in the light of the Charter, form part of that
legislation.
139
In addition, a recipient of personal data established in a third country undertakes, pursuant to
Clause 5(a), to inform the controller established in the European Union promptly of any inability to
comply with its obligations under the contract concluded. In particular, according to Clause 5(b), the
recipient certifies that it has no reason to believe that the legislation applicable to it prevents it from
fulfilling its obligations under the contract entered into and undertakes to notify the data controller
about any change in the national legislation applicable to it which is likely to have a substantial adverse
effect on the warranties and obligations provided by the standard data protection clauses in the annex
to the SCC Decision, promptly upon notice thereof. Furthermore, although Clause 5(d)(i) allows a
recipient of personal data not to notify a controller established in the European Union of a legally
binding request for disclosure of the personal data by a law enforcement authority, in the event of
legislation prohibiting that recipient from doing so, such as a prohibition under criminal law the aim of
which is to preserve the confidentiality of a law enforcement investigation, the recipient is nevertheless
required, pursuant to Clause 5(a) in the annex to the SCC Decision, to inform the controller of his or
her inability to comply with the standard data protection clauses.
140
Clause 5(a) and (b), in both cases to which it refers, confers on the controller established in the
European Union the right to suspend the transfer of data and/or to terminate the contract. In the light of
the requirements of Article 46(1) and (2)(c) of the GDPR, read in the light of Articles 7 and 8 of the
Charter, the controller is bound to suspend the transfer of data and/or to terminate the contract where
the recipient is not, or is no longer, able to comply with the standard data protection clauses. Unless the
controller does so, it will be in breach of its obligations under Clause 4(a) in the annex to the SCC
Decision as interpreted in the light of the GDPR and of the Charter.
141
It follows that Clause 4(a) and Clause 5(a) and (b) in that annex oblige the controller established in the
European Union and the recipient of personal data to satisfy themselves that the legislation of the third
country of destination enables the recipient to comply with the standard data protection clauses in the
annex to the SCC Decision, before transferring personal data to that third country. As regards that
verification, the footnote to Clause 5 states that mandatory requirements of that legislation which do
not go beyond what is necessary in a democratic society to safeguard, inter alia, national security,
defence and public security are not in contradiction with those standard data protection clauses.
Conversely, as stated by the Advocate General in point 131 of his Opinion, compliance with an
obligation prescribed by the law of the third country of destination which goes beyond what is
necessary for those purposes must be treated as a breach of those clauses. Operators’ assessments of
the necessity of such an obligation must, where relevant, take into account a finding that the level of
protection ensured by the third country in a Commission adequacy decision, adopted under
Article 45(3) of the GDPR, is appropriate.
142
It follows that a controller established in the European Union and the recipient of personal data are
required to verify, prior to any transfer, whether the level of protection required by EU law is respected
in the third country concerned. The recipient is, where appropriate, under an obligation, under
Clause 5(b), to inform the controller of any inability to comply with those clauses, the latter then being,
in turn, obliged to suspend the transfer of data and/or to terminate the contract.
143
If the recipient of personal data to a third country has notified the controller, pursuant to Clause 5(b) in
the annex to the SCC Decision, that the legislation of the third country concerned does not allow him
or her to comply with the standard data protection clauses in that annex, it follows from Clause 12 in
that annex that data that has already been transferred to that third country and the copies thereof must
be returned or destroyed in their entirety. In any event, under Clause 6 in that annex, breach of those
standard clauses will result in a right for the person concerned to receive compensation for the damage
suffered.