The European Data Protection Board (EDPB) has published Frequently Asked Questions (FAQs) regarding the Judgement of the European Court of Justice (ECJ) in case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems, invalidating Commission Decision 2016/1250 (The Privacy Shield Decision), while maintaining valid Commission Decision 2010/87 on Standard Contractual Clauses (SCCs Decision).
The FAQs reported by the EDPB are the following:
1) What did the Court rule in its judgment?
2) Does the Court’s judgment have implications on transfer tools other than the Privacy Shield?
3) Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer?
4) I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do now?
5) I am using SCCs with a data importer in the U.S., what should I do?
6) I am using Binding Corporate Rules (“BCRs”) with an entity in the U.S., what should I do?
7) What about other transfer tools under Article 46 GDPR?
8) Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.?
9) Can I continue to use SCCs or BCRs to transfer data to another third country than the U.S.?
10) What kind of supplementary measures can I introduce if I am using SCCs or BCRs to transfer data to third countries?
11) I am using a processor that processes data for which I am responsible as controller, how can I know if this processor transfers data to the U.S. or to another third country?
12) What can I do to keep using the services of my processor if the contract signed in accordance with Article 28.3 GDPR indicates that data may be transferred to the U.S. or to another third country?