Under the GDPR, organisations may transfer personal data outside the EEA to the countries without adequacy status from the European Commission on the basis of transfer tools – i.e. approved standard contractual clauses (SCCs), ad hoc contracts approved by a national supervisory authority, binding corporate rules (BCRs), codes of conduct or certification mechanisms. Following interpretation of the GDPR by the CJEU in Schrems II decision, organisations relying on transfer tools must also ensure that the level of protection for the personal data in the destination country is essentially equivalent to that guaranteed in the EEA. This requires an assessment of the level of data protection law and practice in the destination country in the context of specific transfer, and may require putting in place supplementary measures in addition to the transfer tool.
The final Recommendations address the steps organisations need to take before a transfer can take place; explain how to conduct the required assessment; and identify the supplementary measures necessary to achieve the required level of protection. The final version provides a more practical view of compliance with the transfer obligations and introduces a risk-based approach to this compliance. However, the risk-based assessment requires thorough analysis of any subjective elements (i.e. experience of the importer with data access requests), proper documentation of the decision-making process and substantiation of the findings by multiple sources.
The main changes in the final Recommendations, as compared to the November 2020 draft, are summarised below:
The final Recommendations are available here.