EDPB adopts recommendations on supplementary measures following Schrems II

November 13, 2020

The European Data Protection Board has adopted recommendations on measures that supplement transfer tools to ensure compliance with EU laws on protecting personal data, as well as recommendations on the European Essential Guarantees for surveillance measures. 

The recommendations have been issued as the EU Commission has published for consultation (until 22 December 2020) a new draft Decision on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council. It contains four contracts including a data processor to data (sub)processor agreement and provides a one year grace period for the old SCCs 2001/497/EC and 2010/87/EU, but data exporters and importers should take “supplementary measures” to ensure that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) GDPR.

The recommendations follow the CJEU’s Schrems II July ruling. As a result of the ruling, controllers relying on standard contractual clauses (SCCs) for their data transfers outside the EEA are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the EEA. The CJEU ruling allows data exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.

The EDPB recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the CJEU’s ruling across the EEA. 

The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective. To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective. 

However, the EDPB points out that ultimately data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. It says that data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable for the decisions they make under the principle of accountability set out in the GDPR. The EDPB also says that it may not be possible to implement sufficient supplementary measures in every case.

The recommendations on the supplementary measures are subject to consultation and will apply immediately following their publication. 

In addition, the EDPB has adopted recommendations on the European Essential Guarantees for surveillance measures. These complement the supplementary measures and help data exporters decide whether the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore not having an impact on the commitments of the Article 46 GDPR transfer tool relied on by data exporters and importers.

The EDPB says that the EEA data protection supervisory authorities will continue coordinating their actions in the EDPB with the aim of ensuring consistency when applying EU data protection law.