The European Data Protection Board (EDBP) has published its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
These recommendations follow the Court of Justice of the European Union (CJEU) judgement C-311/18 “Schrems II” which stated that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever the data go. The EDPB seeks comments on the Recommendations (the deadline being 21 December 2020).
The EDPB recommended a step-by-step approach:
1. “Know your transfers”;
2. Identify the transfer tools you are relying on;
3. Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer;
4. Adopt supplementary measures;
5. Procedural steps if you have identified effective supplementary measures;
6. Re-evaluate at appropriate intervals.
Finally, the Recommendations offer several examples of supplementary measures (organisational, contractual and technical) and seven use cases.