The European Data Protection Board (EDPB) has recommended measures to supplement personal
data transfer tools to ensure compliance with EU standards when transferring data to non-EU “third
Following the Schrems II ruling, which struck down the Privacy Shield between the US and
EU in July, many controllers have been relying on Standard Contractual Clauses (SCCs) as a tool for
data transfers outside the EU.
Where SCC safeguards alone are not sufficient, supplementary measures are allowed in
order to guarantee those equivalent personal data protections. But until now, data
exporters have been waiting for clarity as to what these may look like.
The recommendations, released by the EDPB on November 10 and now set for public
consultation, set out a “roadmap” for data exporters to establish whether supplementary
measures are necessary and identify effective measures (see steps below)
The guidance contains a selection of use-case scenarios of supplementary measures and required
conditions. Ultimate responsibility, however, still lies with the data exporters themselves, and such
measures may not always be possible.
On the same day, the EDPB also provided recommendations, styled the “European Essential
Guarantees”, for determining whether third country laws allowing access to data for the
purposes of surveillance constitute a “justifiable interference” with privacy and personal
data protections, and would therefore be GDPR-compliant.
Since July’s decision, controllers using SCCs must establish whether the law of the third country in
question ensures equivalent personal data protection to that of the European Economic Area.
Verification must be done on a case-by-case basis, in collaboration with the third country
recipient, if appropriate.
EDPB roadmap steps
- Step one advises exporters to map and know their transfers, and ensure data transferred is “adequate, relevant and limited to what is necessary” for the purposes for which it is being transferred.
- Step two is to verify the transfer tool the transfer relies on. If an adequacy decision with the intended data destination is not in place, the exporter must rely on one of the transfer tools listed under GDPR Article 46 for regular and repetitive transfers.
- Step three is to identify any laws or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied on on, in the context of the specific transfer.
- If the assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool relied upon for the transfer, step four is to identify and adopt supplementary measures to bring the level of data protection up to the EU standard of essential equivalence.
- Step five is to take necessary formal procedural steps that the adoption of the chosen supplementary measure may require, depending on the Article 46 GDPR transfer tool relied upon.
- Step six is to re-evaluate the protected of the transferred data at appropriate intervals and any developments that may affect it.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.