On June 18th, the European Data Protection Board (EDPB) adopted the final version of Recommendations on supplementary measures to the data transferred to countries located outside the European Economic Area (“EEA”).
In its recent judgment Schrems II (C-311/18 of the Court of Justice of the European Union – “CJEU”), the Board has updated its recommendations regarding the transfer of data, namely the obligations of controllers and processors whenever they tranfer personal data outside the EEA.
The Court states that controllers or processors, acting as exporters, when transferring personal data outside the EEA, are responsible for verifying, on a case-by-case basis if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law, as it does not specify which measures these could be.
To learn more, access our News Flash here.