Whereas the CJEU was very clear that companies need to act in order to remain in compliance with the GDPR’s requirements with respect to cross-border data transfer, companies found themselves scrambling to make sense of the rather abstract guidance provided by the CJEU and the EDPB.
On 24 August, the Data Protection Supervisory Authority for the state of Baden-Wuerttemberg (Landesbeauftragter für Datenschutz und Informationsfreihei Baden Württemberg, “Supervisory Authority”), one of 17 German data protection supervisory authorities, issued more substantive guidance (“Guidance”) on how to conduct the necessary analysis and risk assessment. The Guidance is particularly noteworthy as it calls into question whether data transfers to the U.S. based on the SCCs can continue if they not accompanied by additional measures such as encryption. In addition, the Supervisory Authority threatens companies with enforcement actions if they fail to take the required steps.
In this blog post, we summarize the Guidance, analyze the practicality of the recommendations and provide guidance on how companies should proceed.
What are the Key Features of the Guidance and What Should Companies Do?