(108)
In the absence of an adequacy decision, the controller or processor should take measures to
compensate for the lack of data protection in a third country by way of appropriate safeguards for
the data subject. Such appropriate safeguards may consist of making use of binding corporate
rules, standard data protection clauses adopted by the Commission, standard data protection
clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory
authority. Those safeguards should ensure compliance with data protection requirements and the
rights of the data subjects appropriate to processing within the Union, including the availability
of enforceable data subject rights and of effective legal remedies, including to obtain effective
administrative or judicial redress and to claim compensation, in the Union or in a third country.
They should relate in particular to compliance with the general principles relating to personal
data processing, the principles of data protection by design and by default. …
(109)
The possibility for the controller or processor to use standard data-protection clauses adopted
by the Commission or by a supervisory authority should prevent controllers or processors neither
from including the standard data-protection clauses in a wider contract, such as a contract
between the processor and another processor, nor from adding other clauses or additional
safeguards provided that they do not contradict, directly or indirectly, the standard contractual
clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental
rights or freedoms of the data subjects. Controllers and processors should be encouraged to
provide additional safeguards via contractual commitments that supplement standard protection
clauses.
…
(114)
In any case, where the Commission has taken no decision on the adequate level of data
protection in a third country, the controller or processor should make use of solutions that
provide data subjects with enforceable and effective rights as regards the processing of their data
in the Union once those data have been transferred so that that they will continue to benefit from
fundamental rights and safeguards.
…
(116)
When personal data moves across borders outside the Union it may put at increased risk the
ability of natural persons to exercise data protection rights in particular to protect themselves
from the unlawful use or disclosure of that information. At the same time, supervisory authorities
may find that they are unable to pursue complaints or conduct investigations relating to the
activities outside their borders. Their efforts to work together in the cross-border context may
also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and
practical obstacles like resource constraints. …
…
(141)
9
Every data subject should have the right to lodge a complaint with a single supervisory
authority, in particular in the Member State of his or her habitual residence, and the right to an
effective judicial remedy in accordance with Article 47 of the Charter if the data subject
considers that his or her rights under this Regulation are infringed or where the supervisory
authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does
not act where such action is necessary to protect the rights of the data subject. …’
Article 2(1) and (2) of the GDPR provides:
‘1.
This Regulation applies to the processing of personal data wholly or partly by automated means
and to the processing other than by automated means of personal data which form part of a filing
system or are intended to form part of a filing system.
2.
This Regulation does not apply to the processing of personal data:
(a)
in the course of an activity which falls outside the scope of Union law;