June 28, 2021
During its 50th plenary session on 18 June 2021, the EDPB adopted a final version of its Recommendations on supplementary measures for transfer tools following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.
The main changes include:
- emphasis on the importance of examining the practices of third country public authorities in the exporter’s legal assessment to determine whether the legislation and/or practices of the third country impinge, in practice, on the effectiveness of the Article 46 GDPR transfer tool;
- addition of the suggestion that the exporter, when carrying out its assessment, considers the practical experience of the importer, amongst other things and with certain caveats; and
- clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.
Regarding the recently published new standard contractual clauses for international transfers by the European Commission, the Recommendations are helpful to check “Local laws and practices affecting compliance with the Clauses” (Clause 14 of the new SCCs) and the possible need to implement supplementary measures.
EDPB Chair Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels. The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area. By clarifying some doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance.” To access the Recommendations, click here.