During its plenary session, the EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Scherms II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.
Among the main modifications are:
- the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge - in practice - on the effectiveness of the Art. 46 GDPR transfer tool.
- the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats.
- and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.
Regarding the recently published new standard contractual clauses for international transfers by the European Commission, the Recommendations are helpful to check “Local laws and practices affecting compliance with the Clauses” (Clause 14 of the new SCCs) and the possible need to implement supplementary measures.
EDPB Chair Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels. The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area. By clarifying some doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance.”
The full text of the Recommendations is available here: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
It is important for business information providers who are exchanging data with non -Eu and third party countries to have a look at these recommendations and at the new SCCs (Standard Contractual Clauses) for international transfers set out by the European Commission at the beginning of June 2021.