European Data Protection Board Issues Recommendations on Supplementary Measures for SCCs in Wake of Schrems II

White and Williams LLP
Contact
LinkedIn
Facebook
X
Send
Embed

White and Williams LLP

In follow up to the Court of Justice of the European Union's (CJEU) ruling in Schrems II, the European Data Protection Board (EDPB) has just adopted for public comment draft recommendations for supplementary measures for transferring personal data outside the European Economic Area (EEA). The document, “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,” was adopted on November 10, 2020 to ensure compliance with the EU-level of protection of personal data when such data is transmitted outside the EEA under use of Standard Contractual Clauses (SCCs).

According to a press release issued by the EDPB, as a result of the Schrems II ruling, data controllers that rely on SCCs to effect the transmission of personal data outside the EEA must now verify on a case-by-case basis if the law of the non-EEA country to where the data will be transmitted ensures an adequate level of protection of the personal data that is afforded under EU law. In holding, the CJEU allowed data exporters to add supplementary measures to the SCCs to ensure that adequate protection is afforded to the personal data in compliance with the court’s decision. According to the EDPB, the recommendations “contain a roadmap” of actions data controllers must undertake to determine if they need to implement supplementary measures to the SCCs to lawfully transfer personal data outside the EEA to a third country. The press release states:

The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA.

Recommendations to data exporters include:

  • understand all your personal data transfers;
  • verify the transfer tool the data transfer relies on;
  • assess whether the Article 46 GDPR transfer tool relied upon is effective in light of all circumstances of the transfer;
  • adopt supplementary measures if the Article 46 GDPR transfer tool is ineffective;
  • undertake procedural steps if effective supplementary measures have been identified; and
  • re-evaluate at appropriate intervals.

The recommendations also contain a non-exhaustive list of case specific examples of effective supplementary measures. The recommendations will be submitted for public comment, and will be applicable immediately following their final publication.

Separately, the European Commission has published a draft of revised Standard Contractual Clauses for public comment. Comments for the modified SCCs are due by December 10, 2020 (midnight, Belgium time).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White and Williams LLP | Attorney Advertising

Written by:

White and Williams LLP
White and Williams LLP
Contact
more
less

White and Williams LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide