The Schrems II judgement has left a great impact on the development of data protection and privacy. Besides invalidating the EU-US Privacy Shield as a mechanism for valid and safe data transfers to the US, the judgement also affects transfers of data outside the EU. Indeed, the main scope of the resultant measures is that of achieving a level of protection equivalent to that applicable to EU data transfers.
The Schrems II judgement has led to a revamp of the Standard Contractual Clauses (SCCs) - these are a type of transferring tool which may be used to ensure that transfers of data are appropriately safeguarded. In fact, in June 2021 the European Commission adopted two new sets of SCCs:
(i) a set for the use of controllers and/or processors within the EU, and
(ii) another set for transfer of personal data to third countries.
Both sets of SCCs may be included within contractual agreements to ensure compliance with the general data protection regulation as well as the principles resulting from the Schrems II judgement.
In trying to avoid a third variation of the Schrems II case, irrespective of the transferring tool being applied, the European Data Protection Board (EDPB) has also issued official guidelines, entitled ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’ to be implemented by all entities that transfer personal data to territories outside the EEA. These Guidelines seek to ensure that existing third country data transfers are revisited and properly documented. The Guidelines require entities to make a number of preparations, including:
Mapping out all data transfers to reflect where and which data is being transferred;
Identify and assess the transferring tool (e.g. SCCs) being applied in relation to the receiving third country;
In certain instances, identify and adopt additional measures to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This in turn, may also lead to the adoption of formal procedural steps .
Ongoing monitoring in all instances relating to the transfer of data to third countries
In view of these recent requirements, entities are encouraged to review their processes, procedures, agreements and in certain instances carry out a data transfer impact assessment. Our Data Protection team is well equipped to guide your organisation in this respect. For more information regarding our services relating to data protection and GDPR compliance, visit our General Data Protection Regulation page.
