Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.In its July Command Paper, the Government set out proposals for a new balance in how the Protocol is operated. The agenda of the forty-first plenary is available here. The EEA data protection supervisory authorities will continue coordinating their actions in the EDPB to ensure consistency in the application of EU data protection law. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data.” Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. The Chair added: “The implications of the Schrems II judgment extend to all transfers to third countries. The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter and importer rely on. The recommendations on the European Essential Guarantees are complementary to the recommendations on supplementary measures. In addition, the EDPB adopted recommendations on the European Essential Guarantees for surveillance measures. They will be applicable immediately following their publication. The recommendations on the supplementary measures will be submitted to public consultation. Moreover, data exporters should know that it may not be possible to implement sufficient supplementary measures in every case. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability. However, in the end data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective. The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”
The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA.ĮDPB Chair, Andrea Jelinek said: “The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient. As a result of the ruling on July 16th, controllers relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA). Brussels, 11 November - During its 41st plenary session, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.īoth documents were adopted as a follow-up to the CJEU’s ‘Schrems II’ ruling.
0 kommentar(er)
