On Monday 21 June 2021, the European Data Protection Board released the long-awaited updated Recommendations on the so-called supplementary measures that can be put in place when transferring personal data outside the European Economic Area (EEA, the 27 countries of the European Union [EU] plus Iceland, Liechtenstein and Norway). Such supplementary measures may be required to maintain an essentially equivalent level of data protection when transferring personal data to a non-EEA country (often referred to as a third country) on the basis of one of the appropriate safeguards under Article 46 GDPR. These include the use of Standard Contractual Clauses.
As we explained in this blog post when the consultation draft of the EDPB Recommendations were published back in November 2020, organizations will need to perform a Data Transfer Risk Assessment on a case-by-case basis to assess the level of protection in a third country. If there are indications that legislation may impinge on the fundamental rights and freedoms of data subjects in Europe – for example because of far-reaching government access and surveillance legislation – supplementary measures need to be put in place by the data importer in the third country to protect the personal data coming from Europe. These measures can be of a technical, organisational and/or contractual nature.
As a reminder: the six steps prescribed by the EDPB to conduct a Data Transfer Risk Assessment, are visible in the image below. These six steps have not changed.
We do note the EDPB has made some major changes in the updated version of the Recommendations compared to the consultation draft. Where before the EDPB almost completely ruled out the use of a risk-based approach to international data transfers, it now seems to greenlight it, subject to strict condit ..
Support the originator by clicking the read the rest link below.
