The European Data Protection Board (EDPB) has adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, and recommendations on the European Essential Guarantees for surveillance measures.
Both documents were adopted during the EDPB'ss 41st plenary session, and are intended to address the requirements set out in the European Court of Justice’s ‘Schrems II’ ruling. Following this ruling, controllers relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA). Schrems II allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.
The formal recommendations now aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. Even with this guidance, however, in the end, data exporters remain responsible for making the concrete assessment in the context of the transfer, the third country law, and the specific transfer tool they are relying on.
Still, data exporters must proceed with caution, and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability. Moreover, data exporters should know that it may not be possible to implement sufficient supplementary measures in every case.
EDPB Chair, Andrea Jelinek said: “The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”
To access the EDPB formal guidance, click on the links below.
We will, of course, continue to monitor this important legal development, and update our clients as appropriate. If you have any questions about this or any other privacy law, please do not hesitate to reach out to the author, Harry Valetk.
“The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed."