Shorter Reads

No rest for the European Data Protection Board

1 minute read

Published 20 November 2020

Authors

Share

Key information

  • Services
  • Business
  • Data Protection

This month has seen a flurry of activity amongst European authorities and regulators in the data protection sphere.

The European Data Protection Board (EDPB), which includes representatives from the data protection regulators of each EU member state, has published a number of recommendations that businesses should take note of in order to comply with the General Data Protection Regulation (GDPR).

Firstly, in the wake of the much-publicised Schrems II case this summer, the EDPB has endeavoured to give some much-needed clarity on what organisations need to do if they want to transfer personal data outside of the European Economic Area (EEA). Assuming that other routes to achieving this in compliance with the GDPR (such as sending personal data to a country that has received an adequacy decision from the EU) are unavailable, where organisations wish to rely on the EU Commission’s standard contractual clauses (SCCs), the recommendations confirm that they must verify on a case-by-case basis whether the destination country affords equivalent levels of protection as within the EEA. In addition, they must supplement the SCCs with additional measures, ranging from technical and organisational to contractual. Whichever steps are taken must be documented to comply with the GDPR’s accountability duty.

The recommendations also stress the need to consider whether access to transferred personal data by government or surveillance authorities in the destination country is likely. If so, exporting organisations will need to consider whether this access may undermine the SCCs. A second set of recommendations sets out four criteria, known as ‘essential guarantees’, against which to determine whether the interference of the destination country’s surveillance laws with individuals’ data protection and privacy rights is acceptable by EU standards. These are as follows:

  • Is the processing is based on clear, precise, and accessible rules?
  • Is the processing is necessary and proportionate to the legitimate objectives pursued?
  • Is there is an independent oversight mechanism?
  • Are effective remedies available to individuals concerned?

In addition, the European Commission has at last published its draft set of revised standard contractual clauses, which are currently open for consultation and are expected to be formally adopted early next year. Happily, these include processor-to-controller standard contractual clauses, which, in the event the UK receives no adequacy decision from the EU before the end of the Brexit transition period, could be the lifeline businesses need to establish compliant personal data flows from the EEA to a UK that will soon be a ‘third country’.

Raj Shah and Howard Ricklow from Collyer Bristow’s data privacy team will be discussing all of the above and more in a live interactive webinar on Thursday 26 November 2020 at 11am GMT. To register your interest, please click here.

https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

Message us on WhatsApp

Related latest updates
PREV NEXT

Arrow Back to Insights

Shorter Reads

No rest for the European Data Protection Board

Published 20 November 2020

Associated sectors / services

Authors

This month has seen a flurry of activity amongst European authorities and regulators in the data protection sphere.

The European Data Protection Board (EDPB), which includes representatives from the data protection regulators of each EU member state, has published a number of recommendations that businesses should take note of in order to comply with the General Data Protection Regulation (GDPR).

Firstly, in the wake of the much-publicised Schrems II case this summer, the EDPB has endeavoured to give some much-needed clarity on what organisations need to do if they want to transfer personal data outside of the European Economic Area (EEA). Assuming that other routes to achieving this in compliance with the GDPR (such as sending personal data to a country that has received an adequacy decision from the EU) are unavailable, where organisations wish to rely on the EU Commission’s standard contractual clauses (SCCs), the recommendations confirm that they must verify on a case-by-case basis whether the destination country affords equivalent levels of protection as within the EEA. In addition, they must supplement the SCCs with additional measures, ranging from technical and organisational to contractual. Whichever steps are taken must be documented to comply with the GDPR’s accountability duty.

The recommendations also stress the need to consider whether access to transferred personal data by government or surveillance authorities in the destination country is likely. If so, exporting organisations will need to consider whether this access may undermine the SCCs. A second set of recommendations sets out four criteria, known as ‘essential guarantees’, against which to determine whether the interference of the destination country’s surveillance laws with individuals’ data protection and privacy rights is acceptable by EU standards. These are as follows:

  • Is the processing is based on clear, precise, and accessible rules?
  • Is the processing is necessary and proportionate to the legitimate objectives pursued?
  • Is there is an independent oversight mechanism?
  • Are effective remedies available to individuals concerned?

In addition, the European Commission has at last published its draft set of revised standard contractual clauses, which are currently open for consultation and are expected to be formally adopted early next year. Happily, these include processor-to-controller standard contractual clauses, which, in the event the UK receives no adequacy decision from the EU before the end of the Brexit transition period, could be the lifeline businesses need to establish compliant personal data flows from the EEA to a UK that will soon be a ‘third country’.

Raj Shah and Howard Ricklow from Collyer Bristow’s data privacy team will be discussing all of the above and more in a live interactive webinar on Thursday 26 November 2020 at 11am GMT. To register your interest, please click here.

https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.