Skip to main content

Schrems II recommendations

|

Important recommendations EDPB (European Data Protection Board) after Schrems II and new standard contractual clauses

After Schrems II and along with it the end of the EU-US Privacy Shield (July 2020) it became for many international companies very difficult to remain compliant under the GDPR while transferring personal data outside the European Economic Area (EEA). It was clear that the standard contractual clauses (SCC’S) in itself may be used, but the extra safeguards and measures to be taken and the reviewing of the third country legal and surveillance environment created uncertainty. The German DPA Baden-Württemberg was the first DPA to acknowledge this, and therefore gave some recommendations on how to approach this situation. The recommendations (November 10, 2020) of the EDPB, yet to be commented, are now very helpful for the complex task of assessing third countries and identifying appropriate supplementary measures where needed. The recommendations provide us with a series of steps to follow of which the way most companies already (should) operate. Steps include mapping all transfers first, verifying the transfer tool your transfer relies on, assessing the law of practice of the third country, and so on. The recommendations are suggesting various ideas for extra measures that could be taken.

The new SCC’s (draft) describe additional measurements as well. The processors and controllers have much more possibilities to select the module(s) applicable to their situation, which makes it possible to tailor their obligations under the SCC’s. In addition, the new clauses provide in more appropriate safeguards to afford a level of protection essentially equivalent to that guaranteed within the EU.

Furthermore, the EDPB have outlined the interesting phenomenon of the “ Warrant Canary” whereby the data importer commits to regularly publish (e.g. at least every 24 hours) a cryptographically signed message informing the data exporter that as of a certain date and time it has received no order to disclose personal data or the like. The absence of an update of this notification will indicate to the exporter that the importer may have received an order.

The EDPB recommendations and the new SCC’s are a very welcome and useful addition for the practice in privacy land. For data importers in third counties being compliant under the GDPR seems to be no longer hardly impossible.

 

Article provided by: Bob Cordemeyer and Wouter Huisman  (Cordemeyer & Slager Advocaten, The Netherlands)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}