November 23, 2020
Last week we reported that the EDPB had published “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” following the CJEU’s ruling in Schrems II (Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd). The Information Commissioner’s Office has now published a statement on the EDPB’s recommendations, saying that it is reviewing them and will consider whether it needs to publish its own guidance in due course.
The ICO notes that the EDPB recommendations follow previous EDPB guidance that organisations must conduct a risk assessment as to whether a transfer tool, such as Standard Contractual Clauses (SCCs), provides enough protection within the legal framework of the destination country. If not, organisations must put extra measures in place to mitigate the risks. The ICO says that it is also reviewing the European Commission’s new GDPR SCCs currently under consultation (see last week’s news).
The ICO reiterates its advice that organisations should take stock of the international transfers they make, and update their practices as guidance and advice become available. To read the ICO’s announcement in full, click here.