Following the CJEU’s judgment in Schrems II, which found that organisations relying on the Standard Contractual Clauses (SCCs) may need to implement further safeguards, The European Data Protection Board (EDPB) have presented recommendations on measures that organisations should consider following. According to these recommendations data exporters would be required to verify, on a case-by-case basis if the law of the third country ensures a level of protection of the personal data transferred that is the equivalent to the level in the EEA. If not the data exporter should add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient
The recommendations include a 6-step process which include mapping out the data transfers and also identifying the transfer tools which are being relied on such as an adequacy decision or SCCs. To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures, such as implementing organisational and technical measures which may consist of internal policies.
The recommendations will be submitted to public consultation and will be applicable immediately following their publication
Click here to read more.