Under Clause 14 of the Data Transfer SCCs, the data importer must carry out a transfer risk assessment to verify whether the laws and practices of the receiving third country could prevent the data importer from complying with the Data Transfer SCCs. If the risk assessment shows that the Data Transfer SCCs alone will not ensure an essentially equivalent level of protection for the personal data in the receiving third country, supplementary safeguards will need to be implemented, such as end-to-end encryption of data in transit and at rest. If no supplementary safeguards can be implemented for the data transfers at hand, the data exporter must take steps to terminate the Data Transfer SCCs or suspend the transfers.
Clause 15.1 of the Data Transfer SCCs requires the data importer to promptly notify the data exporter and concerned data subjects when receiving a government authority request to disclose personal data transferred under the Data Transfer SCCs or when becoming aware of any direct access by public authorities to such personal data. Notification to the data subjects is only required where feasible in practice, potentially with the assistance of the data exporter who has direct relationship with individuals. If notifying the data exporter of a government authority request is prohibited by law, then using best efforts should be used to obtain a waiver and communicate as much information about request as possible to data exporter.