EDPB issues draft guidance on supplemental measures for data transfers following Schrems II

The European Data Protection Board (EDPB) has recommended measures to supplement personal

data transfer tools to ensure compliance with EU standards when transferring data to non-EU “third

countries”.

Following the Schrems II ruling, which struck down the Privacy Shield between the US and

EU in July, many controllers have been relying on Standard Contractual Clauses (SCCs) as a tool for

data transfers outside the EU.

Where SCC safeguards alone are not sufficient, supplementary measures are allowed in

order to guarantee those equivalent personal data protections. But until now, data

exporters have been waiting for clarity as to what these may look like.

The recommendations, released by the EDPB on November 10 and now set for public

consultation, set out a “roadmap” for data exporters to establish whether supplementary

measures are necessary and identify effective measures (see steps below)

The guidance contains a selection of use-case scenarios of supplementary measures and required

conditions. Ultimate responsibility, however, still lies with the data exporters themselves, and such

measures may not always be possible.

On the same day, the EDPB also provided recommendations, styled the “European Essential

Guarantees”, for determining whether third country laws allowing access to data for the

purposes of surveillance constitute a “justifiable interference” with privacy and personal

data protections, and would therefore be GDPR-compliant.

Since July’s decision, controllers using SCCs must establish whether the law of the third country in

question ensures equivalent personal data protection to that of the European Economic Area.

Verification must be done on a case-by-case basis, in collaboration with the third country

recipient, if appropriate.

 

EDPB roadmap steps

  • Step one advises exporters to map and know their transfers, and ensure data transferred is “adequate, relevant and limited to what is necessary” for the purposes for which it is being transferred.
  • Step two is to verify the transfer tool the transfer relies on. If an adequacy decision with the intended data destination is not in place, the exporter must rely on one of the transfer tools listed under GDPR Article 46 for regular and repetitive transfers.
  • Step three is to identify any laws or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied on on, in the context of the specific transfer.
  • If the assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool relied upon for the transfer, step four is to identify and adopt supplementary measures to bring the level of data protection up to the EU standard of essential equivalence.
  • Step five is to take necessary formal procedural steps that the adoption of the chosen supplementary measure may require, depending on the Article 46 GDPR transfer tool relied upon.
  • Step six is to re-evaluate the protected of the transferred data at appropriate intervals and any developments that may affect it.

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.