EDPB recommendations after Schrems II case

Schrems II: EDPB adopts “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.”

On 10 November 2020, during its 41st plenary session, the European Data Protection Board (EDPB) adopted “recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”. This was as a direct result of the Court of Justice of the European Union (CJEU)’s “Schrems II” ruling on 16 July 2020 (Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18).

Schrems II concerned the validity of standard contractual clauses (SCCs) for the transfer of personal data to third countries. In Schrems II the CJEU held that SCCs are a valid export mechanism under Article 46 of the EU General Data Protection Regulation (GDPR). However, it went on to hold that organisations cannot rely on simply executing SCCs alone and must, together with the data recipient in the third country (if appropriate), ensure that additional assessments are undertaken to verify, on a case by case basis, that the legal protections afforded the transferred personal data in the third country are equivalent to that guaranteed in the European Economic Area (EEA). If they are not data exporters must supplement the SCCs to ensure equivalence with protections afforded personal data in the EEA. Simply put, the EEA protections must travel with the personal data wherever it goes; the protections do not need to be identical to those in the EEA but must be equivalent.

The recommendations set out a roadmap of six steps that data exporters (whether controllers or processors) can follow to determine whether they need to put in place supplementary measures to fill any gaps in the protection and bring it up to the level required by EU law together with potential sources of information and a non-exhaustive list of examples of supplementary measures they may wish to adopt and conditions they would require to be effective.

The recommendations make it clear that it is the data exporter who is accountable (under Article 5.2 GDPR) and therefore it is imperative that data exporters can demonstrate, on a case by case basis, that they carried out the required due diligence, analysed the information and documented the process they followed to demonstrate compliance with the GDPR principles relating to processing of personal data.

The recommendations can be found here

They are open to public consultation until 30 November 2020. The recommendations will be immediately applicable following their publication.

23 November 2020

Further Information