'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

Schrems II Resources

Conduct EU-US Data Transfer Risk Assessments based on Schrems II decision

  • Pre-built EU-US Data Transfer Risk Assessments
  • Automatically identify and remediate risks
  • Real-time collaboration and messaging
Watch the video

Automation of privacy assessment collection from third parties, collaboration among stakeholders, follow-ups and compliance analytics


Identify and review data transfers from the European Union

  • Gather information on data assets & processes
  • Generate visual data maps
  • Identify cross-border data transfers
  • Initiate PIAs/DPIAs or Schrems II risk assessments
Watch the video

Simplify gathering information, dynamically update your data catalog, and automate assessments and reports


Manage and remediate discovered vendor risks

  • Comprehensive view of vendor assessment risks
  • Trendlines over time through a consolidated risk score.
  • Automated vendor privacy ratings

Overview

After the invalidation of Privacy Shield, many companies are relying on the SCCs in order to continue transferring data of EU citizens to companies based in countries who are not deemed adequate for data transfer.

After the CJEU judgement, it is clear that these companies have to conduct Risk Assessments with the data recipients in these countries in order to ensure they have enough controls to mitigate any potential data or regulatory risk.

Schrems-II DPA Response Table

SECURTI.ai is staying on top of how regulators are reacting to the Schrems-II decision. Check back to stay updated on the latest guidance.

Updated 30th June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
European Data Protection Supervisor (EDPS)

"The EDPS welcomes that the Court of Justice of the European Union, in its landmark Grand Chamber judgment of 16 July 2020, reaffirmed the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries...The EDPS notes that the Court, while in principle confirming the validity of Standard Contractual Clauses (SCC), provided welcomed clarifications regarding the responsibilities of controllers and European DPAs to take into account the risks linked to the access to personal data by the public authorities of third countries. European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country. As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge."

Keeping in view the risk-based approach, the EDPS recommends certain (1) short-term action plans for data transfers to the United States that present high risks, and (2) medium-term action plans for all data transfers to the U.S and other third countries.

(1) Short-term action plans:

*Mapping: Pursuant to the order of the EDPS released on 5 October 2020, EUIs shall carry out an inventory of all on-going cross-border data processing activities. EUIs will maintain descriptions of data processing operations, destinations, recipients, transfer tools used, types of transferred personal data, categories of data subjects affected, and information on onward transfers in their inventories as part of the mapping exercise.

*Reporting: Based on the above mapping exercise, EUIs shall report by 15 November 2020 on specific risks and gaps that they were able to identify. EUIs are expected to provide specific and transparent information on (1) illegal data transfers which are not based on any transfer tool, (2) transfers that are based on derogations under Article 50 of the Chapter V of the Regulation (EU) 2018/1725., and (3) data transfers that present high risk to data subjects. The third category includes all high-risk data transfers to the U.S. to entities that are subject to Section 702 FISA or E.O. 12333 and transfers that involve processing on a large-scale, sensitive personal data, or data of a highly personal nature.

The EDPS strongly encourages EUIs to avoid any data processing activity that involves personal data transfer to the U.S. and adopt a strong precautionary approach while using any new service provider or engaging in a new data processing operation.

(2) Medium-term action plans

*Transfer impact assessments: The EDPS shall provide a list of preliminary questions to EUI data controllers to conduct transfer impact assessments (TIAs) with data importers. Based on the results of TIAs, EUIs shall assess whether or not a particular third country provides essentially equivalent level of data protection as provided in the EU/EEA. If EUI decides to continue the data transfer to the third country, it shall identify and implement supplementary measures or additional safeguards to ensure essentially equivalent data protection standards in the third country. The EUI shall also assess whether conditions of derogations are adequately fulfilled where a cross-border transfer was permitted based on derogations.

*Reporting: Depending on the results of the TIAs, EUIs will be asked to report to the EDPS in spring 2021 on the following data transfer categories:

**Transfers to a third country that do not ensure an essentially equivalent level of protection,

**Transfers that are suspended or terminated shall be notified in line with Article 47(2) of the Chapter V of the Regulation (EU) 2018/1725., where EUI considers that the third country does not ensure an essentially equivalent level of protection

**Transfers that are based on derogations shall be notified in line with Article 50(6) of the Chapter V of Regulation (EU) 2018/1725.

The goal of the EDPS is to ensure that all ongoing and upcoming international data transfers comply with the EU Charter of Fundamental Rights, GDPR, the CJEU’s decision in Schrems II case and any applicable legal requirement. It aims to issue long-term compliance action plans based on the results of TIAs and mapping exercises.

Yes
NA
NA
Press Release | 17th July 2020
Strategy Document | 29th October 2020
European Data Protection Board (EDPB)

"The EDPB welcomes the CJEU’s judgment, which highlights the fundamental right to privacy in the context of the transfer of personal data to third countries...While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.

If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.

The CJEU’s judgment also recalls the importance for the exporter and importer to comply with their obligations included in the SCCs, in particular the information obligations in relation to change of legislation in the importer’s country. When those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or terminate the SCCs or to notify its competent supervisory authority if it intends to continue transferring data.

The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer.

The EDPB recalls that it issued guidelines on Art 49 GDPR derogations (2); and that such derogations must be applied on a case-by-case basis.

The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment."

EDPB mandates the following actions be taken by all data exporters to continue the transfer of EU citizens protected personal data from the EU to non-EEA jurisdictions:

(1) Map all your data flows.

*You must know which non-EEA jurisdictions you are transferring personal data to taking into account all onward transfers and access to stored data within EEA.
*You must also see if the transfers are necessary and minimal. This mapping must be documented.

(2) Verify the transfer tool being relied upon.

*You must know which transfer tool you are relying on to make these data transfers.
*If a recipient juridisction you are transferring to has an adequacy decision, you are done with this assessment. For every other transfer tool under Article 46 of the GDPR, you must take the next step.
*Article 49 transfers can only be occasional and exceptional. This process should be documented.

(3) Assess the law and practice of the recipient jurisdiction.

*Assess and document if there is anything in the law or practice of the recipient jurisdiction - in context of your data transfer - which would impugn the effectiveness of the protections offered to the transferred data by the Article 46 transfer tool.
*Use the EU essential guarantees guidance to evaluate the legal set up of the recipient jurisdiction and the protections offered to the data. Focus on the laws allowing public authorities access to surveil the personal data.
*Analyze only using the law and regulations and cite practice - only if the law is unambiguous or unavailable, use other objective factors (not subjective ones).

(4) Identify and undertake supplementary measures if law of recipient jurisdiction would impugn Article 46 guarantees.

*If your analysis reveals that the legislation of the recipient jurisdiction will impugn the effectiveness of the protections offered to the personal data by the Article 46 transfer tool and you still wish to carry out the transfer you must identify and employ supplementary measures (contractual, organizational and technical measures).
*Contractual and organisational supplementary measures alone will not protect against laws which allow surveillance of the personal data by the public authorities of the recipient jurisdiction - technical measures are a must.
*The supplementary measures must aim to bring the level of protection of the transferred data up to the EU standard of essential equivalence and each supplementary measure employed must be assessed for its effectiveness in the context of the transfer, and in light of the applicable law of the recipient jurisdiction and the transfer tool you are relying on - you must document your reasoning.

(5) Take formal procedural steps to enact supplementary measures.

*You must take formal steps to employ the additional measures you have decided upon.
*For different Article 46 transfer tools, that could mean different processes and could require approval from the relevant Supervisory Authority.

(6) Monitor and regularly reassess effectiveness of supplementary measures.

*Re-evaluate and monitor at appropriate intervals the level of protection afforded to the transferred data by the Article 46 transfer tool and supplementary measures.
*You must remain constantly vigilant of any changes in the law or practice of the recipient jurisidiction or change in guidance by the EDPB or the relevant Supervisory Authority in relation to the protection of the transferred data.

Yes
Yes
Yes
Press Release | 21st June 2021
Adopted Recommendations | 10th November 2020
Adopted FAQs | 23rd July 2020
European Data Protection Board (EDPB)

The EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.

The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.

Among the main modifications (from the earlier adopted draft) are: the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge - in practice - on the effectiveness of the Art. 46 GDPR transfer tool; the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.

Yes
Yes
Yes
Final Recommendations | 21st June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Information Commissioner's Office (ICO)

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.

We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”

NA

NA
NA
NA
Press Release | 16th July 2020
Information Commissioner's Office (ICO)

"The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK...Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.

The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.

The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy."

NA

NA
NA
NA
Press Release | 27th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Conference of Independent Data Protection Supervisors (Germany)

"For a transfer of personal data to the USA and other third countries the existing standard contractual clauses of the European Commission basically continue to be used.

However, the ECJ emphasized the responsibility of the Responsible persons and the recipient to assess whether the rights of the persons concerned enjoy the same level of protection in the third country as in the Union.

Only then can be decided whether the guarantees from the standard contractual clauses in the Practice can be realized. If not, it should be checked what additional measures to ensure a level of protection in the EU essentially equivalent levels of protection can be taken."

With the implementation decision of June 4, 2021, the European Commission issued new standard contractual clauses that are intended to enable the legally compliant transfer of personal data to third countries. The conference of the independent data protection supervisory authorities of the federal and state governments (data protection conference, DSK) as well as the European data protection committee (EDPB) point out that an examination of the legal situation in the third country and additional supplementary measures is necessary even if the new EU standard contractual clauses are used.

...

The new standard contractual clauses have not changed anything in the situation described and the obligations arising from it. Rather, they now expressly regulate the requirements that previously only followed from the case law of the European Court of Justice (Clause 14). The EU Commission and the EDSA have deliberately coordinated the new standard contractual clauses and recommendations 01/2020. This means that even if the new clauses are used, the data exporter must check the legal situation and practice of the third country and, if necessary, take additional protective measures or, if this does not succeed, refrain from the transfer.

Yes
Yes
Yes
Press Release | 28th July 2020
Press Release | 21st June 2021
Federal Commissioner for Data Protection and Freedom of Information (Bfdi)

"The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ. With regard to the transition, we will, of course, provide intensive advice.

The ECJ has confirmed and strengthened the role of data protection supervisory authorities. As to each single data processing operation, they have to check and be able to check whether the high requirements of the ECJ are met. This also means that these authorities will prohibit the data exchange if the conditions are not complied with. Companies and authorities as well as supervisory authorities now have the complex task of applying the judgment in practice. We will urge rapid implementation in particularly relevant cases

The ECJ’s decision provides a clearer framework for international data traffic with the European Union. In this context, the ECJ places high demands on the special safeguards, such as standard contractual clauses, which have to be adopted by companies and authorities, and which have to be controlled by supervisory authorities."


"The non-governmental organization noyb Non-of-your-business had filed 101 complaints against the use of Google Analytics and Facebook Connect by European companies after the Schrems II ruling was announced . The complaints are addressed to all national supervisory authorities, including five German state data protection supervisory authorities. In terms of content, the complaints relate to the question of whether Google and Facebook are allowed to transmit personal data to the USA via the products mentioned and thus whether or not their use by websites of European providers is legal.

Both groups are now based on the so-called standard contractual clauses of the European Union. Whether they have taken the "additional measures" required by the ECJ as a supplement to the standard contractual clauses and whether these measures are sufficient to guarantee the level of protection required by the ECJ in the USA is the core issue of the complaint procedure. As a consequence, the EDPB has set up a second task force on the joint initiative of Germany and France . In particular, this should develop criteria for evaluating data transmission in individual cases, criteria for additional measures and procedural aspects for their implementation."

The following are the official effects of the Schrems II decision by CJEU on international data transfers:

*As per Article 44 of the GDPR Personal Data can only be transmitted to a third country from the EU if an appropriate level of protection to the personal data is guaranteed. This can be evidenced by an adequacy decision by the European Commission and in the absence of such a decision, a suitable guarantee i.e Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs) can be used. If even these are not possible, in the most rare cases, other transfer options in Chapter V of GDPR can be used.

*ECJ confirmed that in light of the Charter of Fundamental Rights of the European Union, data transferred to a third country essentially requires equivalent protection as under the GDPR. ECJ declared the European Commission’s Privacy Shield Decision (2016/1250) invalid as a data transfer mechanism but upheld the SCC decision (2010/87) provided that the protection clauses agreed upon contractually are practically available to data subjects in the third country through enforceable rights and effective mechanisms and remedies.

The Court further denied the US as providing an ‘essentially equivalent’ level of protection. Thus transmissions of personal data are not only invalid and illegal under the Privacy Shield but also through other mechanisms such as SCCs and BCRs.

*ECJ held that in case of transfers of personal data made to third countries based upon suitable guarantees such as SCCs and BCRs, it must be seen that the transferred data, through the appropriate guarantees, enjoys equivalent protection and if the law of the third country prevents compliance with the guarantees, additional measures will need to be taken to establish this protection in a specific case. Transfers via derogations in the GDPR are still possible but they must be exceptional. And even then the requirements for such derogations must be met (i.e express, informative and voluntary consent for the consent derogation).

*Data transfers to the US are no longer possible under the Privacy Shield as the US does not have an essentially equivalent level of protection. Transfers to the US under the SCCs and BCRs still remain possible in principle, provided additional measures are taken on a case to case basis which in a concrete manner protect from unrestricted access of data by US security authorities. This applies to the possibility of transfers under exceptional derogations. It is important to note there is no grace period for compliance. Companies must immediately comply with this decision.

*Companies and Supervisory Authorities must respond and must replace the mechanism of data transfer if they were relying on the Privacy Shield to transfer to the US immediately and secondly, they must check all third countries which are being transferred personal data using one of the suitable guarantees (SCCs, BCRs etc.) and assess whether additional measures will be required to protect the data. The result of these assessments must be documented in a comprehensible manner.

*If it is found during these assessments that there is no essentially equivalent level of protection guaranteed by a third country and transfers to that country have not been suspended or terminated, the Supervisory Authority will need to be advised. This obligation lies on both controllers and processors.

*The Bfdi will continue to evaluate the reactions to this letter and release more detailed guidance on data transfers in specific areas. Further guidance on Schrems II will also be released.

Yes
NA
NA
Official Guidance | 8th October 2020
State Commissioner for Data Protection and Freedom of Information (Baden--Württemberg)

NA

Standard Contractual Clauses (SCCs) are still valid as a data transfer mechanism to companies in third countries (without an adequacy decision) but the level of protection to EU residents must be similar to the protection granted in the EU.

(1) EU data exports must review the level of protection granted to EU residents in the third country keeping in mind Article 46 (1) of the GDPR and EU Charter of Fundamental Rights with a view towards the following factors:

* suitable guarantees by the Controller and Processor;

* enforceable rights;

* effective remedies;

* possibility of access by public authorities in the third country.

(2) It is important for data exporters to note that since the SCCs do not bind the public authorities of the third countries, if the public authorities of the third country can intervene and access the data in voilation of the EU residents rights despite the protections provided by the SCCs, then without additional safeguards, adequate protection is not being granted. In such cases the EU data exporter must, in agreement with the data importer:

* Take appropriate additional safeguards as required on case to case basis;

* If despite taking the additionals safeguards, the level of protection granted to the data cannot be guaranteed by the data exporter or importer, the transfer should be cancelled and the data already transferred deleted by the importer.

If the data exporter or importer continue to carry out the transfer despite adequate protection not being granted, the supervisory authority will have to intervene and stop and cancel the transfer.

(3) The following Checklist should be used by EU data exporters to ensure compliance with the judgement:

* Make an inventory of your data transfers/exports to companies/entities (public or private) in third countries. This includes not just physical storage but also remote access, retrieval and maintenance;

* Immediately instruct in writing to all your processers and sub-processers who transfer data to the US using the Privacy Shield to immediately suspend all transfers of personal data to the US until another alternative transfer mechanism cannot be found which guarantees and adequate and equivalent level of protection to the data;

* Update and adapt your data protection declarations, remove any mention of using Privacy Shield as a transfer mechanism for transfers to the US;

* Check and customize your list of processing activities accordingly;

* Contact your service provider/contractual partner in the third countries you export data to and inform him about the CJEU decision and its consequences;

* See if the data importers you transfer/export data to are based in third countries with adequacy decisions by the EC Commission - the US is no longer adequate after the invalidation of the Privacy Shield by the CJEU - if yes, then then the rest of the checklist does not apply;

* Check whether the data importers you transfer/export data to are based in third countries which can fall under the SCCs decision by the EC Commission. Countries which allow public authorities to dispropotionally intervene in the rights of data subjects (i.e a massive retrieval of data without informing the data subject or providing any judicial oversight) is not providing adequate protection;

* Review the legal situation of the third country to which you transfer data to. Focus on data protection laws of the third country - public authorities' access options including intelligence services on the data, legal protections that can be employed by you, the data importer and the data subjects, case law and official practice in the third country with reference to data protection level etc. Employ the help of EDPB and Supervisory Authorities to conduct this review;

* Reassess whether the transfer to the data importer in the third country can be avoided - consider using services that do not transfer data to the third country, contracting a ban on transfers to the third country or using encryption - only transfer to third countries without an adequacy rating and which do not provide an adequate level of protection to the data if necessary;

* if the transfer is necessary, undertake supplementary measures along with the SCCs to protect the data. Refer to (4) and (5) for mandatory measures.

(4) For countries like the US, where the public authorities can dispropotionally intervene with the data subjects' rights, as has been held by the CJEU, the following additional safeguards necessarily have to be taken:

* Encryption for which “only the data exporter has the key” and which “cannot be broken by U.S. [intelligence] services”;

* Anonymization or pseudonymization where “only the data exporter can re-identify the data”.

However, even these are considered sufficient only for some type of transfers and they are not a catch-all solution - protection must be seen on a case to case basis.

(5) Finally, the data exporter should contact the data importer and consider the following changes in the SCCs:

* Amendment to SCC Clause 4(f): Informing the data subject, not only in the case of transfers of special categories of data, but also in the case of any transfer (before or as soon as possible after the transfer) that his or her data will be transferred to a third country that does not provide an adequate level of protection within the meaning of Regulation (EU) 2016/679.

* Amendment to SCC Clause 5(d)(i): Obligation of the data importer to inform not only the data exporter but also the data subject promptly of any legally binding requests by a law enforcement authority for disclosure of the personal data; if this disclosure of information is otherwise prohibited, e.g. by a criminal law requirement to maintain the secrecy of investigation, the data exporter must contact the LfDI BW and clarify the further procedure. (if informing the data exporter or data subject of the surveillance request is not allowed by the law of the third country, the LfDi SA needs to be contacted for further guidance on how to proceed). Additionaly, general information of requests recieved in the past should also be disclosed by the data importer to the data exporter.

*Amendment to SCC Clause 5(d): Obligation of the data importer to take legal action against the disclosure of personal data and to refrain from disclosing personal data to the relevant public authorities until a competent court of last instance has ordered the importer to disclose the data in a legally binding manner.

*Amendment to SCC Clause 5(h): Along with the data exporter, the data importer should be obligated to inform/notify the affected party of any award of contract to a sub-processor.

*Amendment to SCC Clause 6: The data subject can hold the data exporter or data importer liable for any breach of the provisions of the SCC by the data importer or a sub-processor.

*Inclusion of the illustrative indemnification clause set out in Appendix 2 to the SCC.

Yes
Yes
Yes
Official Guidance | 25th August 2020
Official Guidance - Updated | 7th September 2020
Berlin Commissioner for Data Protection and Freedom of Information (Berlin)

Data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection. Specifically China, Russia, and India are countries for which there will be similar problems for data transfers...SCCs can continue to be used for personal data transfers with data recipients in third countries however, EU Data Exporters must be aware that mere conclusion of SCCs cannot justify all transfers to third countries; and they must conduct a prior check to determine if there is state access to the transferred data in the third country and means for data subjects to demand compensation for illegal data transfers.

NA

NA
NA
NA
Press Release | 17th July 2020
Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg)

"The decision of the ECJ to keep the Standard Contractual Clauses (SCC) as an appropriate instrument is not consistent. If the invalidity of the Privacy Shield is primarily justified by the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between the data exporter and the importer are equally unsuitable for protecting data subjects from government access. At least with regard to the conclusion of the SCC with the US company at issue, the ECJ should have come to the same conclusion...However, the court passed the ball to the European SAs. The European SAs will have to consider the content-related standards of today's decision. In particular, they must now pay particular attention to the level of data protection in the recipient country. Upon request, the exporter has to prove to his locally competent data protection authority both the proportionality of official access options and the guarantee of a functioning legal protection. For their part, the supervisory authorities in the European Data Protection Committee are called upon to jointly evaluate the legal and actual situation in the recipient countries. In addition to the USA, this responsibility also affects the other states outside the EEA for which the European Commission has not made any adequacy decisions. The association of data protection supervisory authorities in Germany and Europe now has to come to an agreement quickly on how to deal with companies that are now inadmissibly continuing to rely on the Privacy Shield. The same goes for companies.

"Difficult times are looming for international data traffic. The bottom line is that in recent years it has been the USA, but even the EU Commission, has not succeeded in implementing a sound basis for adequate protection of data that corresponds to the European data protection standard. The implications of this ruling will affect international data transfer as a whole. A data transfer to countries without an adequate level of data protection will therefore no longer be allowed in the future. Here the supervisory authorities are particularly challenged to develop and implement a common strategy."

NA

Yes
NA
NA
Press Release | 16th July 2020
State Commissioner for Data Protection and Freedom of Information (Rhineland-Palatinate)

Numerous companies transfer personal data to offices outside the EU, e.g. to business partners in the USA or China. It is now becoming more difficult and demanding. In today's judgment, the ECJ declared the so-called EU-US Privacy Shield to be invalid, which is no longer the legal basis for data transfers to the USA. However, the standard contractual clauses of the EU Commission can continue to form the necessary legal basis for the data transfer . However, a high level of protection for the basic right to data protection must be ensured.

The State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate, Prof. Kugelmann, emphasizes: “The protection of fundamental rights does not end at the border of the EU and also requires checking whether and how US security authorities have access to the data. The ECJ once again strengthens the rights of the individual. For the companies concerned, this means a lot of hard work to be able to conduct their business in accordance with data protection."

...The validity of the standard contractual clauses by the EU Commission - probably the most widely used transfer instrument for data transfers to third countries - has been confirmed. However, those responsible who use this transfer instrument cannot rest on it. "The ECJ has made it clear that companies cannot buy themselves free from their inspection obligations by using the standard contractual clauses," explains Professor Kugelmann. “The ball is now in the field of those responsible. You cannot avoid having to deal intensively with the national laws of the third country to which you wish to transmit data. If the data recipients are subject to legal regulations in their home country that violate European data protection law, they may not be able to comply with the contractual provisions of the standard contractual clauses.

The standard contractual clauses still apply. Will everything stay the same for those responsible who use this as a transfer instrument?

Yes and no. An adjustment of the standard contractual clauses by the EU Commission is not necessary. They are valid as such. However, the ECJ has made it clear that those responsible who use the standard contractual clauses must fulfill their obligations arising from them. If it turns out that the processor in the third country is subject to laws that make it impossible for him to follow the instructions of the data exporter, i.e. the person responsible in the EU, and to comply with his contractual obligations, the person responsible for exporting data in the EU has, for example, in accordance with Clause 5 of the standard contract for data transfers from controllers in the EU to processors in third countries (2010/87 / EU) the contractually established right to suspend the data transfer and / or to withdraw from the contract.
This was also the case before. With its ruling, the ECJ made it clear that data-exporting bodies must deal with the legal situation of the target country on a permanent basis in order not to be prosecuted by the supervisory authorities in the EU for data protection violations by the importing body in the third country.

Can the contracting parties adapt the standard contractual clauses themselves and thus create suitable guarantees for their specific contractual relationship?

The ECJ names the possibility of supplementing the standard contractual clauses by the contracting parties in order to nevertheless create suitable guarantees in this specific contractual relationship that the level of protection guaranteed by the GDPR for natural persons is not impaired (Rn. 132). The aim here is to achieve a level of protection that is equivalent to the level guaranteed in the Union by the GDPR in the light of the Charter (marginal numbers 92, 94, 96, 105). The criteria mentioned in Art. 45 (2) GDPR are to be used in particular (marginal no. 104).
It is unclear whether this is actually possible in individual cases, in particular, for example, under the application of security laws such as Sec. 702 Foreign Intelligence Surveillance Act (FISA), as US authorities are not bound by the Standard Contractual Clauses. It is also unclear how this possibility relates to Art. 46 Para. 3 lit. a GDPR, i.e. from when the above additions are subject to a regulatory approval requirement.

Can the standard contractual clauses generally no longer be used for data transfers to the USA?

This is currently under review and will largely depend on the interpretation of US security laws. The security laws in the USA like Sec. 702 FISA, which allows US security agencies to gain access to personal data in certain cases without a court order, takes precedence over telecommunications companies. As a rule, the standard contractual clauses cannot be used for data transfers to such companies. In addition, the law may also have an impact on other companies, e.g. if these companies make use of the services of telecommunications providers, such as cloud services. Then there is the possibility that the US security authorities will gain access to the data in this way. It is also conceivable that solely due to the fact that data is transmitted electronically, i.e. the fact that the data flows through the cables of US telecommunications providers on the way to the recipient in the USA, Sec. 702 FISA applies to all data transmitted in this way. In connection with data transmission to the USA, it should also be borne in mind that, in accordance with US Executive Order 12.333, insufficiently encrypted data can also be monitored if it traverses the transatlantic cables. More generally speaking, this means: In the event that the US security laws that conflict with EU data protection law apply to all data transfers from the EU to the USA, the level of protection in the USA as a whole cannot be regarded as equivalent to the level of protection prevailing in the EU. In this case, the standard contractual clauses, as they are formulated, do not represent suitable guarantees for data transmission to the USA. In the event that the US security laws only apply to certain data transfers to the USA, it is up to the data exporter in the EU, including the respective data importer in the USA, to check whether or which laws in his home country the data importer or the respective data transfer to this is subject to and to evaluate whether the standard contractual clauses represent suitable guarantees in this case.

What do those responsible who use the Standard Contractual Clauses have to do now?

Those responsible must check which laws the data importer in the third country to which they want to transfer the data and, if applicable, its other contractual partners in this business relationship are subject to, and whether these affect the guarantees given in the standard contractual clauses. Possibly. the specific data flows must be analyzed in order to determine which laws of the third country apply in each case. In order to meet the accountability obligation according to Art. 5 Para. 2 GDPR, these tests and the results must be documented. These obligations apply to data transfers to all third countries, not just the USA. Should impairments become apparent, there is the - at least theoretically - possibility of eliminating them by adding to the standard contractual clauses (Rn. 132). Whether it is actually possible to remedy the situation, especially in the event of a conflict between the laws of the third country and European data protection law, is questionable and will show itself in practical application. The individual case must be checked here. Also, from when the limit to ad hoc contracts (Art. 46 Para. 3 lit. a DS-GVO) is exceeded, i.e. when agreements require approval, is still an unresolved question. The check can possibly be bypassed in cases in which other transfer instruments of Chapter V DS-GVO or an exceptional circumstance of Art. 49 DS-GVO can be used. The latter is often considered for travel bookings, for example, but is unlikely to be considered for typical outsourcing scenarios, i.e. services that could also be provided in the EU / EEA but are easier, cheaper or better provided in a third country.

What do those responsible who use the standard contractual clauses have to do if the receiving agency in the third country is subject to a national law that violates the principles of the GDPR or Art. 7 and Art. 8 of the EU Charter of Fundamental Rights?

If the data protection guarantees named in the standard contractual clauses cannot be met by the data importer due to the legal situation in their home country, the data exporter, i.e. the person responsible in the EU, must suspend data transfers there, because otherwise they themselves violate data protection law. Data that have already been transmitted to the third country must all be returned by the data importer or destroyed (marginal number 143). The contracting parties can try to create suitable guarantees by adding to the standard contractual clauses.

What questions do those responsible in the EU now have to ask themselves in connection with the standard contractual clauses?

a) Do I transfer personal data to a country outside the EU or the EEA?
b) If not, the exam ends here. If so: do I use standard contractual clauses of the EU Commission as a transfer instrument within the meaning of Chapter V GDPR?
c) If not, the exam ends here. If so: Is the data importer in the third country or its subcontractors in my business relationship subject to laws of this third country that contravene the GDPR or Art. 7 or Art. 8 of the EU Charter of Fundamental Rights, or is there any other indication that the guarantees given in the standard contractual clauses cannot be met?
d) If not, the exam ends here. If so: Can the standard contractual clauses be supplemented with the help of further agreements between the contracting parties in such a way that the level of protection thus created is essentially equivalent to the level of protection guaranteed in the Union?
e) If so, the exam ends here. If not: Can the data transfer be based on another transfer instrument within the meaning of Chapter V DS-GVO or on an exceptional fact of Art. 49 DS-GVO?
f) If so, everything is fine. If necessary, adapt your information in accordance with Art. 13 GDPR. When applying Art. 49 Para. 1 lit. a DS-GVO that the consent must be given voluntarily, earmarked, informed and unambiguous. If not: Suspend the data transfer immediately and request the data importer to return the data that has already been transmitted or request them to destroy the data. Get in touch with future contractual partners in countries where your data is better protected.

Yes
Yes
Yes
Press Release | 16th July 2020
Thuringian Commissioner for Data Protection and Freedom of Information (Thuringia)

Given the extensive criticism voiced by the Court on the national surveillance legislation and the lack of adequate redress provided by the Intelligence Ombudsman in the Privacy Shield arrangement, it is unclear, how SCCs can still be used for data transfers to the U.S.

If the ECJ now emphasizes that the protective mechanisms of the Standard contractual clauses and their compliance by the data exporter and the Data recipient must be checked before transmission, then I do not know as in the case of data transmission to the USA, what conclusion an EU data protection compliant test result should come to for the transfer to be allowed.

Press Release | 16th July 2020
State Commissioner for Data Protection and Freedom of Information (North Rhine-Westphalia)

With the judgment, a decision of the European Commission that affects the EU-US Privacy Shield is declared invalid (adequacy decision). Anyone wishing to transfer data to the USA in accordance with the General Data Protection Regulation (GDPR) can therefore no longer rely on this adequacy decision, but must use other legal instruments. There is no transition period during which the Privacy Shield can still be used within the meaning of the GDPR. The ruling has also confirmed decisions of the European Commission concerning standard data protection clauses as legal. Such standard data protection clauses can in principle consist of the necessary guarantees that are provided for data transmission to countries outside the EU and the European Economic Area (standard data protection clauses, Article 46 Para. 2 letter c GDPR). However, the users of these clauses must check for themselves whether these guarantees are sufficient or whether they need to be supplemented by further measures - especially if there are poor data protection conditions in the destination country. A data exporter who is already using standard contractual clauses has thus undertaken to suspend the data transfer if the clauses are not complied with in the target country, or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. whether these guarantees are sufficient or need to be supplemented by further measures - especially if the data protection conditions are poor in the target country. A data exporter who is already using standard contractual clauses has thus undertaken to suspend the data transfer if the clauses are not complied with in the target country, or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. whether these guarantees are sufficient or need to be supplemented by further measures - especially if the data protection conditions are poor in the target country. A data exporter who is already using standard contractual clauses has thus undertaken to suspend the data transfer if the clauses are not complied with in the target country, or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended.

NA

Yes
NA
NA
Press Release | Undated
The State Commissioner for Data Protection and Freedom of Information (Bremen)

No statement

NA

NA
NA
NA
Bavaria State Office/State Commissioner for Data Protection Supervision (Bavaria)

No statement

NA

NA
NA
NA
State Commissioner for Data Protection and Freedom of Information (Mecklenburg-Vorpommern)

No statement

NA

NA
NA
NA
The State Representative for Data Protection an the Right to Inspect Files (Badenburg)

No statement

NA

NA
NA
NA
The Hessian Data Protection Officer (Hessen)

No statement

As a first step, companies and public bodies in Hessen are therefore advised that the transfer of personal data to third countries such as the USA is not permitted without additional protective measures.

The HBDI expects the data processing centers in Hesse to check whether their IT systems transfer personal data to third countries in which there is an insufficient level of data protection. If this is the case, they must be able to prove that they have carried out the necessary tests and, if necessary, initiated the first steps to ensure that the data processing methods used, such as video conference systems, meet the requirements of the GDPR. This can vary in complexity depending on the processing process.

In the case of process changes that are easy to implement and for which functionally equivalent alternatives that can be used in accordance with data protection already exist (such as the use of video conference systems), immediate implementation activities are expected from the data processing units.

If the need for implementation for more complex procedures is identified, an appropriate roadmap for implementation must be drawn up. The HBDI supports this implementation process with advice. When acting as a supervisory authority, it will take into account the implementation periods required for this.

NA
NA
NA
Press Release | 22nd June 2021
State Representative for Data Protection and Freedom of Information (Saarland)

No statement

NA

NA
NA
NA
State Commissioner for Data Protection (Lower Saxony)

No statement

NA

NA
NA
NA
Saxon Data Protection Officer (Saxony)

No statement

NA

NA
NA
NA
State Commissioner for Data Protection (Saxony-Anhalt)

No statement

NA

NA
NA
NA
Indepedent State Center for Data Protection (Schleswig-Holstein)

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commission Nationale de l'Informatique et des Libertés (CNIL)

"The CNIL is currently conducting a precise analysis of the judgment, together with its European counterparts assembled within the European Data Protection Board. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States".

The method proposed below by the CNIL is given only as an indication, in order to help data controllers to identify and process transfers of personal data outside the EU:

1. List the transfers of personal data linked to your digital tools

The inventory should make it possible to highlight any transfers of personal data outside the European Union carried out as part of your business activities (customer / user oriented) and your support functions.

  • Check your digital tools (technical section)
  • Check your contracts (legal aspect)
  • Complete or constitute your tool for monitoring transfers outside the EU

2. Define an action plan

  • Determine the criticality for your organization
  • Assess whether the transfers have a legal basis and possible solutions
  • Have the solutions identified by the person in charge of your organization validated and follow up
Yes
Yes
Yes
Press Release | 17th July 2020
Proposed Methodology for transfers | 23rd June 2021
Commission Nationale de l'Informatique et des Libertés (CNIL)

"1. In practice, who should draw the consequences of the decision of the Court of Justice of the EU?

In accordance with the principle of responsibility, these are primarily organizations wishing to transfer data outside the European Union. Both data controllers and data transfer processors are accountable for these requirements.

2. What are the main actions to be implemented for the organizations concerned?

Data controllers and subcontractors are first of all advised to identify all the transfers of personal data outside the European Union to which they make, and in particular to the United States of America. It is then recommended to carry out a rigorous assessment of the legality of each of these transfers, in particular taking into account the decision of the Court of Justice of the European Union. Finally, the organizations concerned should define an action plan to enable them, if necessary, to comply with the legal framework applicable to data transfers. The CNIL proposes here a method to precisely identify these transfers, by means of a technical and legal census, and to implement an action plan adapted to your organization. In the context of these compliance actions, two steps are essential:
(i) the assessment of the legislation of the third country to which the data is transferred;
(ii) if necessary, the implementation of additional measures to ensure a sufficient level of data protection.

3. Who is responsible for the assessment of the laws of third countries applicable to the transferred data and when should this assessment take place?

In accordance with the principle of responsibility, it is the body carrying out the data transfer which must assess whether the data transferred to the third country will benefit from a sufficient level of protection.

4. What exactly should we evaluate?

The assessment of the level of protection from which the transferred data will benefit must relate to the specific legislation (s) applicable to the transfers in question. In all cases, it must aim to determine whether the guarantees contained in the transfer management tool ( CCT , BCR , etc.) can be respected in practice or whether the legal framework for the destination of the transfer has the effect of reducing or eliminating the application of these guarantees.The applicable legislation in matters of intelligence and access by the competent public authorities must be the subject of a particular examination. It may also be necessary to examine other sectoral legislation.

5. How to proceed with this evaluation?

The assessment of the applicable legislation must be made on a case-by-case basis and depending on the nature of the transfers concerned. Organizations wishing to carry out such data transfers can use two main tools:
(i) the decisions of the CJEU or the European Court for the Protection of Human Rights, which have been able to assess the compliance of certain laws with European data protection standards.
(ii) The recommendations of the European CNIL, which for example detailed the essential guarantees that must be found (4 guarantees), in terms of surveillance, in the third country when assessing the level of data protection.

6. What are the categories of additional measures to be implemented?

Three types of measures can be put in place cumulatively to ensure the correct application of the guarantees provided for in the transfer management tool:
(i) technical measures, in particular data encryption or pseudonymization measures;
(ii) organizational measures, for example to ensure that the recipient of the transfer will not store the data received from its subsidiaries if they are located in third countries which have legislation that does not comply with European surveillance requirements, for example;
(iii) legal measures, for example a clarification in the contractual commitments framing the transfer of the definition of a particular concept if it is not understood in the same way in the rights of the exporter and the importer, or the 'contractual imposition of technical or organizational measures."

Guidance | 23rd June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Austrian Data Protection Authority

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commision for Personal Data Protection

With the judgment in Case C-311/18 (known as the "Schrems II" judgment), the ECJ has upheld the European Commission decision (EU) 2016/1250 on the appropriateness of the EU-US Privacy Shield protection (it is an adequacy decision known as the "Privacy Shield") for the reason that the access to and use by the US authorities of data transferred from the EU to the US under the monitoring programs not limited to what is strictly necessary (non-compliance with the proportionality principle of the GDPR).

On the other hand, the Court of Justice has validated the European Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries. However, the ECJ has clarified that if the standard data protection clauses in that country are not or cannot be complied with and the protection of the transferred data, as required by EU law, cannot be ensured in any other way, the EU-based the exporter himself must suspend or terminate the transfer. If not, national supervisory authorities should do so if they consider it necessary.

This judgment has consequences for controllers and processors who transfer personal data to third countries. We invite these companies to consult the statement and answers of the EDPB on the issues raised in this judgment and prepared by the European Data Protection Board (EDPB) with the contribution of the DPA. The DPA is currently in close cooperation with its counterparts at the EDPB examining the consequences of the judgment and is making every effort to ensure the protection of the fundamental right to data protection and privacy while at the same time free exchange of data between the European Economic Area and third countries.

NA

Yes
NA
NA
Press Release | 31st August 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commission for Personal Data Protection

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Agency

The Director of the Personal Data Protection Agency, Mr. Zdravko Vukić, participated in the 34th plenary session of the European Data Protection Board held on 17 July 2020. The main topic of discussion was the judgment of the Court of Justice of the European Union in case C-311/18 Data Protection Commissioner / Maximillian Schrems and Facebook Ireland, which annulled Decision 2016/1250 on the adequacy of protection under the Euro-American privacy system. In contrast, the Court held that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors in third countries is valid.

NA

Yes
NA
NA
Press Release | Undated
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commissioner for Personal Data Protection

"On 16 July, the European Court of Justice (ECJ) issued a landmark ruling abolishing the Privacy Shield , the legal tool that allowed the transfer of personal data to the United States. At the same time, it considered that the Standard Conventional Clauses (CCs) remain in force, another legal tool that can be used to transmit data to third countries, but under strict conditions. This Decision affects all organizations that transmit or intend to transmit data to third countries and in particular to the USA.

Although the SCCs remain in force, an organization that uses or intends to use them should consider the country of surveillance status and, if a satisfactory level of protection is not provided, should not allow or suspend any transmission. It should also, where necessary, take additional protection measures. Otherwise, affected citizens can take legal action against the organization for compensation and file a complaint with the competent supervisory authority"

NA

Yes
NA
NA
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Office for Personal Data Protection

In today's judgment, the Court of Justice of the European Union found that a review of Decision 2010/87 (on standard contractual clauses for the transfer of personal data to processors established in third countries) in comparison with the Charter of Fundamental Rights did not reveal any fact that could affect its validity. Decision 2016/1250 on the adequate protection provided by the EU-US Privacy Shield was declared invalid.

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Danish Data Protection Agency

The standard contracts remain valid in principle. Danish Data Protection Agency will regularly provide updates on the Authority's website on the consequences of the Schrems II judgment.

"If you have transferred personal information to the United States on the basis of the Privacy Shield, you should consider whether you can use a different transfer basis in the future, as it is now illegal to use the Privacy Shield. Alternatively, you can consider whether one of the exceptions in Article 49 can be used.

If you are considering using, for example, the Commission's standard contracts as a basis for future transfers, be aware that - although the European Court of Justice has initially declared the standard contracts valid - you must assess the circumstances in the third country to which you want to transfer personal data. The assessment must ensure that the protection established through the use of the standard contracts is "essentially equivalent" to that which we have in the EU, and thus not undermined by the conditions in the third country. In the assessment, it will be relevant, for example, to look at the legislation of the third country, including the possibilities for the authorities (e.g. the intelligence services) to gain access to personal data, the control thereof and the data subjects' means of redress.

If you use the EU Commission’s standard contracts to transfer personal data to the United States and/or third countries and your investigations show that you cannot ensure an adequate level of protection using the transfer tools in the GDPR – and the exceptions in Article 49 cannot be applied either – stop transferring personal data. In relation to Article 49, you should pay particular attention to the fact that the exceptions have a very narrow scope and that several of them cannot be used if you are a public authority.

If you have transferred information on the basis of the standard contracts and the transfer can no longer take place, ask the recipient in the third country to delete or return the transferred information."

Yes
NA
Yes. Exceptions have a narrow scope and several of them cannot be used if you are a public authority.
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Estonian Data Protection Inspectorate

"The transfer of personal data to the United States has been further tightened since mid-July, as the European Court of Justice annulled the Privacy Shield, a data protection framework that has so far provided security for EU and US companies.

From 16 July 2020, data controllers cooperating with US companies listed in the Privacy Shield will need to review the transfer of data in accordance with data protection clauses accepted by the European Commission. This means that one option is to conclude a corresponding agreement, which is provided for by the European Commission. Other safeguards can be used in the articles of the General Regulation on the Protection of Personal Data (EDPS).

When transferring personal data to any third country with an insufficient level of data protection, it must be borne in mind that it is also important to be convinced of the third country's adequate level of protection of personal data. Therefore, EU companies must always assess the European Commission's data protection clauses themselves. The assessment must determine whether the protection of Europeans' personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended. If it is desired to continue the data transfer, another appropriate safeguard must be found."

How to understand which article of the General Regulation applies to a specific data transfer?

It should first be ascertained whether the third country or international organization to which the data is to be transferred has received a decision from the European Commission that an adequate level of data protection is ensured in that country, sector or international organization. A list of countries with a sufficient level can be found on the European Commission's website. If the Commission's adequacy decision exists, it is not necessary to apply to the Inspectorate for a special permit for the transfer of data. In the absence of a decision on adequacy for a State or an international organization, data may generally be transferred subject to the safeguards described in Article 46 of the General Regulation or to the application of the exceptions described in Article 49 of the General Regulation.

Transmission in application of safeguard measures (Article 46)

Article 46 of the CCIP describes the safeguards under which personal data may be transferred to a third country whose level of data protection has not been assessed as adequate. It can be transmitted using either binding intra-group rules, standard data protection clauses, legally binding documents between public sector bodies or codes of conduct, etc. Using the European Commission's Standard Contractual Clauses, the text of the standard data transfer agreement is provided and must be followed by the parties to the agreement. In its judgment of 16.07.2020 in case C-311/18, the ECJ upheld this protection measure, but emphasized that data protection supervisory authorities must suspend or prohibit the transfer of data to a third country if, in all circumstances, it is considered that the protection of personal data cannot be ensured in that third country. .
Where the safeguards listed in Article 46 (2) are used , the Inspectorate need not apply for a specific authorization for the transfer of data. A special permit must be requested from the Inspectorate if the transfer takes place in accordance with Article 46(3) CISA (so-called 'ad hoc agreement between the controller and the processor in a third country, administrative arrangements between a public authority or bodies, including legally protected and effective data subjects' rights'). Before issuing an authorization decision, the Authority shall seek the opinion of the European Data Protection Board in order to apply the continuity mechanism provided for in the General Regulation.

Transmission to the United States

The United States is considered to have an insufficient level of data protection. Until 16 July 2020, companies were able to transfer personal data to the United States using the European Commission's Implementing Decision 2016/1250 (Privacy Shield) as a data protection framework, which regulated the adequacy of personal data protection when transferring data between the European Union and the United States. The Commission Implementing Decision was terminated by the judgment of the Court of Justice of 16.07.2020 in Case C-311/18 , which necessitated the use of alternative safeguards for the transfer of personal data. The transfer of personal data to the United States is subject to the safeguards provided for in Article 46 of the General Data Protection Regulation (GPA) or to through the exceptions in Article 49 . The European Data Protection Board has issued a further clarification [in its FAQs].

Yes
NA
NA
Press Release | 17th July 2020
FAQs | 10th September 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Authority

"The European Court of Justice has today delivered an important ruling in the so-called Schrems II case (C-311/18), in which it annuls the European Commission's decision on the adequacy of the level of data protection in the EU-US Privacy Shield. In its ruling, the Court also takes a position on model contract clauses as a basis for transfers of personal data to third countries."

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Hellenic Data Protection Authority

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Authority for Data Protection and Freedom of Information

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Authority

"The European Court of Justice has annulled the decision of the European Commission, no. 2016/1250, which deals with the adequate protection of personal data under the Privacy Shield Agreement between the European Union and the United States, which involves the transfer of personal data to companies in the United States that have gone through a specific process and been registered on a US Department of Commerce list...

However, the European Court of Justice upheld the validity of Commission Decision no. 2010/87 on standard contractual terms for the transfer of personal data to processors established in third countries. [The Court] considered that the decision provided for an effective arrangement to ensure that adequate protection was provided in the transfer of personal data to third countries. However, the Court emphasized the need to ensure in practice that standard contractual terms provide the protection afforded by the general data protection regulation. In deciding whether to comply with standard contractual terms, responsible parties intending to export personal data outside the EEA area must therefore assess whether the recipient country provides adequate protection. Such an assessment shall, among other things, take into account the content of the standard contract terms, the circumstances of the transfer (e. specific circumstances of the transfer) and the legal environment of the recipient country. In this connection, the factors specified in the second paragraph shall be considered. Article 45 of the General Privacy Regulation, but that specification is not exhaustive."

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Commission

"The Court [has] agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.

...while in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.

As well as providing clarity on points of substance, today’s judgment also contains important statements of position relating to matters of process, to include the allocation of responsibility between data controllers and national supervisory authorities when it comes to ensuring that the rights of EU citizens are protected in the context of EU/US data transfers. While noting the Court’s reference to the fact that a supervisory authority could not suspend data transfers while an adequacy decision - such as Privacy Shield – was in force, the DPC acknowledges the central role that it, together with its fellow supervisory authorities across the EU, must play in this area. In that regard, we look forward to developing a common position with our European colleagues to give meaningful and practical effect to today’s judgment."

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Garante per la Protezione dei Dati Personali

The Court of Justice of the European Union (CJEU) ruled on July 16 (so-called "Schrems II Judgment" ) on the data transfer regime between the European Union and the United States, invalidating the adequacy decision of the " Privacy Shield, adopted in 2016 by the European Commission following the termination of the "Safe Harbor" agreement.

In the same ruling, the CJEU also considered valid the decision 2010/87 concerning the standard contractual clauses for the transfer of personal data to data processors established in third countries.

NA

Yes
NA
NA
Press Release | 29th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data State Inspectorate

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Office

"On July 16, 2020, the European Court of Justice (ECJ) declared the EU-US Privacy Shield data agreement between the USA and the EU to be invalid in its judgment on the Schrems II case ( judgment ECJ C-311/18 ).

However, the European Court of Justice also made it clear in its judgment that data can still be transmitted to the USA on the basis of other suitable guarantees according to Art. 46 ff. GDPR, in particular on the basis of standard data protection clauses. At least in the medium term, until a new agreement with the USA on data transmission can be concluded by the EU Commission, those responsible must now rely on such instruments."

NA

Yes
NA
NA
Press Release | 17th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
State Data Protection

"Court of Justice of the European Union 2020 July 16 annulled the decision of the Commission of the European Union of July 12 Implementing Decision (EU) 2016/1250 on the adequacy of the protection afforded by the EU-US Privacy Shield under Directive 95/46 / EC of the European Parliament and of the Council."

NA

Yes
NA
NA
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Commission for Data Protection

"The CJEU invalidated decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield . In its judgment, the Court found that the “Privacy Shield” did not provide a level of protection essentially equivalent to that guaranteed by the GDPR and the Charter of Fundamental Rights of the EU.

The CJEU also ruled that the mechanism for transferring standard contractual clauses remained, in principle, valid. However, it underlined that these contractual clauses impose an obligation for the data exporter and the recipient of the transfer to verify, beforehand, that this level of protection is respected in the third country concerned and that it obliges this recipient to inform the data exporter for its possible inability to comply with the standard protection clauses. It is then up to the latter to suspend the transfer of data and / or to terminate the contract concluded with the former.

The CNPD, in collaboration with the European Data Protection Board (EDPB) and the EU supervisory authorities, is currently evaluating the decision to ensure consistency in the EEA (European Economic Area)."

The EDPB adopted a final version of the recommendations concerning the additional measures following a public consultation which found a very wide response to the parties concerned.

Following the Schrems II judgment of the Court of Justice of the European Union, the recommendations aim to help data controllers and processors acting as data exporters to define and implement additional measures appropriate when they are necessary to ensure an essentially equivalent level of protection for the data they transfer to third countries. Among the main changes are:

(i) Emphasis on the importance of examining the practices of public authorities in third countries in the legal assessment of exporters in order to determine whether the legislation and / or practices of the third country infringe - in practice - on efficiency the GDPR transfer tool of Article 46;
(ii) The possibility that the exporter takes into account the practical experience of the importer in his assessment; and
(iii) The clarification that the legislation of the third country of destination allowing its authorities to access the transferred data, even without the intervention of the importer, may also undermine the efficiency of the transfer tool.

Yes
NA
NA
Press Release | 27th July 2020
Press Release | 21st June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Information Data Protection Commission

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Autoriteit Persoonsgegevens

Organizations can no longer pass on personal data to the United States on the basis of the privacy shield.

The GDPR states that personal data may not simply be passed to persons or organizations based in countries outside the European Economic Area (third countries), such as the US. This is only allowed if the security level for personal data guaranteed by the GDPR is not undermined in those third countries. The GDPR lists a number of ways to achieve this. Of these, 2 are under discussion in the Schrems II case: transfer based on an adequacy decision and transfer based on model contracts.

The EDPB is examining the practical consequences of the ruling and what possible next steps could be. In the short term, the EDPB will provide guidance on additional measures that organizations can include in model contracts.

Press Release | 20th July 2020
Autoriteit Persoonsgegevens

"Companies must now consider whether they use the old model contracts in current contracts. If this is the case, and if the contracts have a duration of more than 18 months, they must switch to the new model contract. Together with the new model contract, the EC has adopted a standard data processing agreement. This agreement helps companies to make GDPR-proof agreements with their processors. When an organization engages another organization to process data, those 2 organizations must conclude a processing agreement. In a procesosr agreement, both parties lay down agreements about what the processor can and cannot do with that personal data."

Press Release | 9th June 2021
Autoriteit Persoonsgegevens

"The recommendations of the European Data Protection Board for the transfer of personal data to countries outside the EU (third countries) are final.

The condition for a transfer based on a model contract is that a company takes sufficient additional measures to guarantee the security of the transfer. That is the company's own responsibility. After further investigation, is there still any doubt about the security of the transfer of personal data? Then the AP advises to stop the transfer and to keep data in the EU.

If the US starts to protect personal data better, new agreements can be made between the EU and the US, similar to the Privacy Shield. The transfer of personal data to the US will then be easier and more secure. The European Commission is therefore in negotiations with the US about new agreements."

Press Release | 21st June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Authority

Business currently using the Privacy Shield mechanism must consider what other transfer bases may be used to transfer personal information to the United States.

If you could conclude that the level of protection will not be equivalent to that in the EEA, you must implement further measures that compensate for this and that ensure a similar level of protection in practice. If there are no such additional measures or you are not able to implement such measures, you cannot transfer the personal data.

What the additional measures may entail must be decided in each individual case, in light of the specific circumstances. It could potentially be a question of legal, technical or organizational measures. At present, however, there is great uncertainty as to what kind of additional measures may be sufficient if the third country has laws that take precedence over the obligations under the transfer bases or otherwise lower the level of protection. This means that at present it is very challenging to transfer personal data to such third countries, and in practice it will probably not be possible for most people to do so.

Yes. Exception rules must be interpreted narrowly and they can only be used in certain cases.
Press Release | 16th July 2020
FAQs | 27th July 2020
Data Protection Authority

"Norwegian Data Protection Authority will accept that Norwegian companies start using the standard data processor agreement with the EU Commission already now if they so wish. We expect that both standard agreements (standard data processor agreement and standard agreement for the transfer of personal data to third countries) will be translated into Norwegian when they are included in the EEA agreement."

We plan to prepare updated guidance on the transfer of personal data to third countries within a short time.

Press Release | 9th June 2021
Press Release | 21st June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Inspector General for the Protection of Personal Data (GIODO)

"The Court of Justice of the EU, in its judgment in the case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems, issued on July 16, 2020, confirmed the high standard of personal data protection with regard to the transfer of personal data to third countries. The CJEU annulled the European Commission implementing decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. At the same time, the CJEU confirmed the continued validity of European Commission Decision 2010/87 on standard contractual clauses (SCC) for the transfer of personal data to data processors based in third countries. The Court, however, stipulated that it should be ensured that the rights of persons whose personal data are transferred to a third country on the basis of standard contractual data protection clauses are protected to an extent substantially equivalent to that guaranteed in the EU by the GDPR in the light of the provisions of the EU Charter of Fundamental Rights.

This means that controllers will need to make an individual assessment of the level of data protection afforded in such cross-border data transfers, which must take into account not only the contractual provisions themselves agreed between data exporters and importers, but also legal provisions in the third country, in particular relating to possible access by authorities. public authority of that state to the transmitted data. When, in the light of the assessment, the level of protection of personal data is not substantially equivalent to that guaranteed in the EU, the transfer of data may be made conditional on an equivalent level of protection by other means."

 

NA

Yes
NA
NA
Press Release | 20th July 2020
Inspector General for the Protection of Personal Data (GIODO)

"The application of the new standard contractual clauses does not exclude the need to assess the planned transfer in terms of compliance with the judgement of the CJEU in the Schrems II case and possible implementation of measures supplementing standard contractual clauses."

Press Release | 22nd June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Commission for Data Protection

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Commission for Data Protection

"By judgment of 16 July 2020 in Case C-113/18, the Court of Justice of the European Union annuls Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 under Directive 95/46 / EC of the European Union The European Parliament and the Council on the adequacy of the protection afforded by the EU-US Privacy Shield.

[Thus] in the absence of a decision on the adequacy under art. 45 para. (3) of Regulation (EU) 2016/679, the transfer of personal data to the United States may be carried out in accordance with one of the following instruments provided by art. 46 of Regulation (EU) 2016/679: standard data protection clauses, mandatory corporate rules, codes of conduct and certification mechanisms. Also, the transfer of personal data to the United States may be made under the derogations provided in art. 49 of Regulation (EU) 2016/679.

NA

Yes
NA
NA
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Office for Personal Data Protection

"The Court of Justice of the EU today ruled in Case C-311/18, also known as Schrems II, in which it declared invalid the Privacy Shield decision issued by the Commission and confirmed the validity of the standard contractual clauses issued by the Commission."

NA

Yes
NA
NA
Press Release | 16th July 2020
Office for Personal Data Protection

"On 4 June 2021, the European Commission adopted modernized standard contractual clauses for the transfer of personal data to third countries pursuant to Art. 46 par. 2 letter (c) of the GDPR. Standard contractual clauses can be used to transfer personal data between:

a. operators in the EU and operators in a third country
b. operators in the EU and intermediaries in a third country
c. intermediaries in the EU and intermediaries in a third country
d. intermediaries in the EU and operators in a third country"

Press Release | 7th June 2021
Office for Personal Data Protection

"The EDPB adopted Recommendations on measures complementing the transfer instruments to ensure compliance with the levek of protection of personal data in the EU. The recommendations follow the six-step process set out in the first draft recommendation:

1. Data tranfer mapping
2. Identification of the transmission mechanism
3. Assessment of the legal system of the beneficiary country
4. Consideration of additional measures
5. Take steps to take additional measures
6. Review of data transfer agreements"

Press Release | 22nd June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Office of the Information Commissioner

"The decision of the Court of Justice of the European Union (CJEU) in the case of Schrems II (DPC Ireland v. Facebook Ireland and Schrems) was published today, declaring the CJEU invalid European Commission Decision 2016/1250 on the appropriate level of personal data protection within the EU-US privacy shield agreement. At the same time, the CJEU confirmed the validity of standard contractual clauses that can still be used for data transfers to third countries that do not ensure adequate protection of personal data.

The EU Court of Justice has abolished the so-called privacy shield, leaving organizations with other listed data transfer mechanisms, which they need to take care of as soon as possible. Disclosures of personal data are still possible [even to the US] provided that the personal data controller itself provides appropriate safeguards to ensure the protection of privacy and the fundamental rights and freedoms of individuals. European companies exporting personal data must be aware that they have a responsibility to assess the lawfulness of the export and further processing, and that they must ensure that all principles of European data protection are covered and respected in each case of the transfer of personal data. Organizations that export data to the United States and have so far relied on the recipient to be a company that can be found on the so-called Privacy Shield list,they must ensure that transfers are justified on another basis as soon as possible (eg standard contractual clauses, binding business rules, exceptions) otherwise, data may not be transmitted in the United States. In a very similar situation in 2015, when the Court of Justice of the European Union annulled the predecessor of the Privacy Shield, ie the safe harbor agreement, organizations often based data transfers in the US on standard contractual clauses concluded with partner organizations.

The EU Court of Justice has based its argument for repealing the Privacy Shield on the finding that the protection of personal data as provided by US law is not at an equivalent level as in the EU. In particular, it drew attention to the insufficiently limited powers of the US authorities to access transferred data and to ineffective protection through the Ombudsman, which is supposed to ensure the exercise of individuals' rights in the US. In this context, other data transfer mechanisms that EU organizations will have to use, e.g. standard contractual clauses or binding business rules, ensure a higher level of protection of the rights of individuals."

NA

Yes
Yes
NA
Press Release | 16th July 2020
Office of the Information Commissioner

"By 27 December 2022, all contracts must be adapted to the new standard contractual clauses. The new clauses bring substantiave innovations, as they strengthen the rights of individuals by enabling them to be informed about the processing of their data, to be able to contact foreign controllers, to receive a copy of the concluded clauses, compensation for damage caused in connection with their personal data, etc.

The EDPB adopted the final on 18 June 2021 Recommendations on measures complementing to transfer tools to ensure compliance with EU-protected personal data protection, containing steps that may assist contracting parties in determining whether complementary measures should also be introduced for a specific transfer of data, to ensure that personal data, despite the transfer to a third country and despite the lack of legislation there or protected in a way that is essentially equivalent to guaranteed data protection in the EU - as required by the judgment of the Court of Justice of the EU Schrems II. In addition, these recommendations indicate the sources of information by which parties can assess the level of protection of personal data in a third country and some concrete examples of complementary measures."

Press Release | 27th June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Federal Data Protection and Information Commission

"In its judgment of 16 July 2020 in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, the Court of Justice annulled Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. However, the EU Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries remains valid.

The FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course."

"Contractual safeguards such as the EU’s SCCs, which are also frequently used in Switzerland, or so-called ‘binding corporate rules’ cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.17 This is true not only in the case of transfer of personal data to the USA, but also to numerous other countries with inadequate legal protection, referred to here as ‘non-listed countries’. Accordingly, it is to be assumed that in many cases the SCCs and comparable provisions do not meet the requirements for contractual safeguards pursuant to Art. 6 Para. 2 Let. a FADP for data transfer to non-listed countries.

Practical advice for Swiss companies
When transferring data to non-listed countries in the future, data exporters should always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried out. The exporter should check whether the clauses cover the data protection risks existing in the non-listed country. If necessary, the clauses should be expanded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.
b) When examining data protection risks, it is of particular relevance whether the data is transferred to a company in a non-listed country that is subject to special access by the local authorities. 18 It must also be considered whether the foreign recipient company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case, any provisions in the SCCs concerning the obligation to cooperate are negated.
c) In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.

Yes
NA
NA
Press Release | 16th July 2020
Policy paper | 8th September 2020
Federal Data Protection and Information Commission

Following his annual assessment of the Swiss-US Privacy Shield regime and recent rulings on data protection by the Court of Justice of the European Union (CJEU), the Federal Data Protection and Information Commissioner (FDPIC) has reassessed the data protection conformity of the Privacy Shield regime.

After closely analysing the regime, the FDPIC concludes in his position paper of 8 September 2020 that, although it guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP).

"Contractual safeguards such as the EU’s SCCs, which are also frequently used in Switzerland, or so-called ‘binding corporate rules’ cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.17 This is true not only in the case of transfer of personal data to the USA, but also to numerous other countries with inadequate legal protection, referred to here as ‘non-listed countries’. Accordingly, it is to be assumed that in many cases the SCCs and comparable provisions do not meet the requirements for contractual safeguards pursuant to Art. 6 Para. 2 Let. a FADP for data transfer to non-listed countries.

Practical advice for Swiss companies When transferring data to non-listed countries in the future, data exporters should always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried out. The exporter should check whether the clauses cover the data protection risks existing in the non-listed country. If necessary, the clauses should be expanded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.
b) When examining data protection risks, it is of particular relevance whether the data is transferred to a company in a non-listed country that is subject to special access by the local authorities.
c) In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.

Yes
NA
NA
Press Release | 8th September 2020
Policy paper | 8th September 2020
Federal Data Protection and Information Commission

"Based on a flowchart, the guide explains steps required for international data transfers. It suggests to assess the transfer, identify whether the personal data is provided with adequate protection and if it is determined there would not be adequate protection, implement additional measures or cease transferring the personal data.

The Guide also explains four guarantees required in relation to official access in the third country (e.g. for national security or criminal investigation purposes). These guarantees are:
1. principle of legality: clear, precise and accessible rules
2. proportionality of the powers and measures regarding the regulatory objectives pursued
3. effective legal remedies must be available to the individual
4. guarantee of legal recourse and access to an independent and impartial court"

Guide | June 2021
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Spanish Federal Data Protection Agency (AEPD)

"On July 16, 2020, the Court of Justice of the European Union (CJEU) has published a judgment in which it annuls Decision 2016/1250 of the Commission that declared the adequate level of protection of the Privacy Shield scheme...

The ruling, whose implications mark a new turning point in the way in which international data transfers to the US are made, establishes, in turn, the validity of the standard contractual clauses adopted by the European Commission to carry out international transfers of data. data between a controller established in the European Union and a controller outside the EU."

NA

Yes
NA
NA
Press Release | 2nd September 2020
Basque Data Protection Agency (Basque Country)

No statement

Catalan Data Protection Authority (Catalonia)

No statement

Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Swedish Authority for Privacy Protection

"The European Court of Justice ruled yesterday that the Privacy Shield agreement between the EU and the US does not provide sufficient protection for personal data when they are transferred to the US. The annulment of the Privacy Shield means that personal data controllers in the EU are no longer allowed to transfer personal data to recipients in the US on the basis of the Privacy Shield. On the other hand, the Court held that the Commission's decision on standard contractual clauses is valid and that they can be used for transfers to countries outside the EU and the EEA - where applicable - together with additional safeguard measures."

"There is no longer scope for the data controller to itself decide whether an adequate level of protection exists or not. Only the European Commission can take such a decision."

Yes
NA
"Yes. If the data subject's interests weigh more heavily than your compelling and legitimate interests, you may not transfer the personal data. You must inform both Swedish Authority for Privacy Protection and the data subjects of the transfer and of the compelling interests that you wish to achieve. "
Press Release | 17th July 2020
Guidance on Transfer of data to a third country | 18th May 2021

Related stories from our blog

On-Demand Webinar
22 Oct, 2020, 10:00 - 11:00 AM PDT

Navigating the Impact of “Schrems II” and Cross-Border Data Transfers

Thousands of companies have leveraged the Privacy Shield as a legal mechanism when transferring personal data from the European Union to the United States. With the recent Schrems II judgement...

View More
View More

Analyzing Assessments and Additional Safeguards for Cross Border Data Transfers post Schrems-II

The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as a mechanism to...

View More

Schrems-II judgment opens door for complaints on EU-US transfers

Things are getting serious for 101 EU data controllers sending data to the US – Max Schrems’ organization “NOYB” lodges complaints with various EU authorities One month ago, the Court of Justice of the European Union (CJEU) delivered...

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.