17
reference to the SCCs as adopted by the European Commission (e.g. by providing a link to the
Commission’s website) is not sufficient (see Module 1, Clause 8.2 of the SCCs; Module 2, Clause 8.3
and Module 4, Clause 8.3). When providing you with a copy of the clauses, the parties may only
redact information that concerns business secrets or other confidential information (e.g. personal
data of other individuals), but have to explain why it was left out. If the remaining text becomes too
difficult to understand, the parties must provide a meaningful summary of the redacted parts (see
Module 1, Clause 8.2 of the SCCs; Module 2, Clause 8.3 and Module 4, Clause 8.3).
In addition, under the GDPR and the SCCs, you have the right to obtain information (e.g. on the data
that is transferred, the purpose of the processing, the recipients with whom your data has been or
will be shared, and the right to lodge a complaint with a supervisory authority) from the entity that
is responsible for the processing of your data (i.e. the ‘controller’). In particular, you can request
information about the handling of your data, including data transfers, from a data exporter acting as
a controller pursuant to Article 15 of the GDPR. If data has been transferred by a controller to an
entity outside the EEA that uses your data for its own purposes (i.e. as another ‘controller’), the data
exporter will only be able to provide information about its own activities (in addition to the fact that
data is transferred outside the EEA). However, in that case, you can exercise your right to obtain
information directly against the controller outside the EEA based on the SCCs (Module 1, Clause 10
of the SCCs).
If several entities are involved in the processing of your data and you do not know who the
controller is, you can either contact (1) the entity that has transferred your data (the data exporter)
or (2) the entity outside of Europe that has received your data (the data importer). If the entity you
turned to is not able to respond to you directly (because it only acts as a service provider on behalf
of the other entity), the SCCs require both parties to cooperate to handle your request in an
effective and timely manner.
What if my data was processed in violation of the SCCs, can I obtain redress (e.g.
compensation for damages)? Where can I lodge a complaint?
The SCCs provide different avenues to obtain redress, both against the data exporter and the data
importer. In particular, even though you are not a party to the SCCs, the SCCs allow you to enforce
those clauses that contain specific safeguards for the use of your data directly against the parties as
a third party beneficiary (see Clause 3 of the SCCs).
First, you have the possibility to lodge a complaint directly with the data importer, who should have
designated a specific contact point to handle complaints (see Clause 11(a) of the SCCs). If the data
importer offers the possibility to lodge a complaint with an independent dispute resolution body,
you can also turn to that body.
Second, you have the possibility to lodge a complaint before the data protection authority of the
EEA country where you are a resident. You can bring such a complaint directly against the data
importer, if you consider that it has acted in violation of the SCCs (see Clause 11(c) of the SCCs) or
against the data exporter, if you consider that it has processed your data unlawfully (see Article 77 of
the GDPR).
Third, you can initiate proceedings in court against the parties to the SCCs, for instance to obtain
injunctive relief or claim compensation for damages. In particular, the parties to the SCCs are liable
for any material or non-material damages that they cause you by breaching the provisions of the
SCCs that that provide safeguards for the handling of your data or ensure specific rights (see Clause