This week saw two major long-awaited updates from Europe. On 10 November 2020, the European Data Protection Board (EDPB) adopted the first version of their Recommendations on how to deal with data transfers following the Schrems-II judgment of the Court of Justice of the European Union (CJEU) which reviewed certain data transfer mechanisms under the General Data Protection Regulations (GDPR). At the same time, the EDPB adopted an updated version of their earlier guidelines on the European Essential Guarantees: criteria that a third country’s(1) legislation needs to meet in order to justify an interference with the right to privacy and data protection. Two days later, the European Commission released the draft of new standard contractual clauses for consultation.
EDPB Action Plan
The EDPB starts their Recommendations with a process description: what should organizations transferring personal data do following the Schrems-II judgment? In principle, all steps are directed at the data exporter – the organization established in the European Economic Area (EEA) transferring personal data to a third country. However, on multiple occasions the EDPB suggests that the data exporter and the data importer – the recipient in the third country – work closely together in completing the assessments.
The steps to take are as follows:
Know your data transfers: review all business processes for any potential cross-border data transfers and onward transfers. This information should be ..
Support the originator by clicking the read the rest link below.
