On 11 November 2020, the European Data Protection Board (EDPB) during its 41st plenary session, adopted recommendations on measures that supplement transfer tools to ensure compliance with the level of protection of personal data required under EU law (Recommendations on Supplementary Measures), as well as recommendations on the European Essential Guarantees for surveillance measures (Recommendations on Essential Guarantees).
This post discusses the Recommendation on Supplementary Measures – you can find our post on the Recommendations on Essential Guarantees here.
Both documents were adopted following the “Schrems II” ruling handed down by the Court of Justice of the European Union (CJEU) on 16 July. As a result of that ruling, controllers relying on Standard Contractual Clauses are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area.
The Recommendations on Supplementary Measures aim to help exporters (whether controllers or processors, private entities or public bodies, each processing personal data within the scope of application of the GDPR) with the complex task of assessing the regulations of third countries and identifying appropriate supplementary measures where needed. The Recommendations on Supplementary Measures provide exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.
In particular, the Recommendations on Supplementary Measures expand on the following steps as a roadmap to complying with the requirements arising from the GDPR and Schrems II:
- Know your transfers
- Verify the transfer tool your transfer relies on
- To assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer
- Identify and adopt supplementary measures necessary to bring the level of protection to EU standards
- Take any formal procedural steps
- Re-evaluate at appropriate intervals the level of protection afforded to the data transferred to third countries
The Recommendations on Supplementary Measures stipulate that ultimately data exporters are responsible for making a concrete assessment in the context of the transfer, the third country’s laws and the transfer tool they are relying on. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability. Moreover, data exporters should know that it may not be possible to implement sufficient supplementary measures in every case.
The Recommendations on Supplementary Measures will be submitted to public consultation. They will be applicable immediately following their publication.
The EDPB’s press release can be found here.
The Recommendations on Supplementary Measures can be found here.
Our post on the Recommendations on Essential Guarantees can be found here.
Our post on the CJEU’s “Schrems II” ruling can be found here.