144
It should be added that, under Clause 4(f) in the annex to the SCC Decision, a controller established in
the European Union undertakes, where special categories of data could be transferred to a third country
not providing adequate protection, to inform the data subject before, or as soon as possible after, the
transfer. That notice enables the data subject to be in a position to bring legal action against the
controller pursuant to Clause 3(1) in that annex so that the controller suspends the proposed transfer,
terminates the contract concluded with the recipient of the personal data or, where appropriate, requires
the recipient to return or destroy the data transferred.
145
Lastly, under Clause 4(g) in that annex, the controller established in the European Union is required,
when the recipient of personal data notifies him or her, pursuant to Clause 5(b), in the event of a
change in the relevant legislation which is likely to have a substantial adverse effect on the warranties
and obligations provided by the standard data protection clauses, to forward any notification to the
competent supervisory authority if the controller established in the European Union decides,
notwithstanding that notification, to continue the transfer or to lift the suspension. The forwarding of
such a notification to that supervisory authority and its right to conduct an audit of the recipient of
personal data pursuant to Clause 8(2) in that annex enable that supervisory authority to ascertain
whether the proposed transfer should be suspended or prohibited in order to ensure an adequate level of
protection.
146
In that context, Article 4 of the SCC Decision, read in the light of recital 5 of Implementing Decision
2016/2297, supports the view that the SCC Decision does not prevent the competent supervisory
authority from suspending or prohibiting, as appropriate, a transfer of personal data to a third country
pursuant to the standard data protection clauses in the annex to that decision. In that regard, as is
apparent from the answer to the eighth question, unless there is a valid Commission adequacy decision,
the competent supervisory authority is required, under Article 58(2)(f) and (j) of the GDPR, to suspend
or prohibit such a transfer, if, in its view and in the light of all the circumstances of that transfer, those
clauses are not or cannot be complied with in that third country and the protection of the data
transferred that is required by EU law cannot be ensured by other means, where the controller or a
processor has not itself suspended or put an end to the transfer.
147
As regards the fact, underlined by the Commissioner, that transfers of personal data to such a third
country may result in the supervisory authorities in the various Member States adopting divergent
decisions, it should be added that, as is clear from Article 55(1) and Article 57(1)(a) of the GDPR, the
task of enforcing that regulation is conferred, in principle, on each supervisory authority on the
territory of its own Member State. Furthermore, in order to avoid divergent decisions, Article 64(2) of
the GDPR provides for the possibility for a supervisory authority which considers that transfers of data
to a third country must, in general, be prohibited, to refer the matter to the European Data Protection
Board (EDPB) for an opinion, which may, under Article 65(1)(c) of the GDPR, adopt a binding
decision, in particular where a supervisory authority does not follow the opinion issued.
148
It follows that the SCC Decision provides for effective mechanisms which, in practice, ensure that the
transfer to a third country of personal data pursuant to the standard data protection clauses in the annex
to that decision is suspended or prohibited where the recipient of the transfer does not comply with
those clauses or is unable to comply with them.
149
In the light of all of the foregoing considerations, the answer to the 7th and 11th questions is that
examination of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter has disclosed
nothing to affect the validity of that decision.
The 4th, 5th, 9th and 10th questions
150
By its ninth question, the referring court wishes to know, in essence, whether and to what extent
findings in the Privacy Shield Decision to the effect that the United States ensures an adequate level of
protection are binding on the supervisory authority of a Member State. By its 4th, 5th and 10th
questions, that court asks, in essence, whether, in view of its own findings on US law, the transfer to
that third country of personal data pursuant to the standard data protection clauses in the annex to the
SCC Decision breaches the rights enshrined in Articles 7, 8 and 47 of the Charter and asks the Court,