HomeInsightsEuropean Data Protection Supervisor publishes Strategy for EU institutions to comply with “Schrems II” ruling

Article by

The Strategy aims to monitor the compliance of European institutions, bodies, offices and agencies (EUIs) with the judgment in Case C-311/18 Data Protection Commission v Facebook Ireland Ltd EU:C:2020:559 (Schrems II) in relation to transfers of personal data to third countries, in particular the US. The goal is to ensure that ongoing and future international transfers comply with the EU Charter of Fundamental Rights as well as all applicable EU data protection legislation.

The Strategy distinguishes between short-term and medium-term compliance. In the short term, EUIs must carry out a mapping exercise to identify which current controller to processor contracts and/or processor to sub-processor contracts involve transfers of data that have no legal basis, are based on derogations, or are to private entities in the US. In the short term, the EDPS is strongly encouraging EUIs not to start any new processing operations or to enter into new contracts with service providers that involve transfers of personal data to the US.

In the medium term, EUIs will be asked to carry out case-by-case Transfer Impact Assessments (TIAs) to identify whether an essentially equivalent level of protection as provided in the EU/EEA is afforded in the third country destination. Using these TIAs, the EUIs should be able to decide whether they can continue the transfers identified in the mapping exercise or whether extra measures/additional safeguards are required. EUIs will then be asked to report to the EDPS in Spring 2021 on transfers to third countries that do not ensure an essentially equivalent level of protection, transfers that are suspended or terminated, and transfers based on derogations.

The EDPS will then establish long-term compliance priorities for 2021. To read the Strategy in full, click here.