GDPR : International Data Transfers

GDPR : International Data Transfers

Under the General Data Protection Regulation (GDPR), personal data transfer outside of the EEA (i.e. EU and Norway, Lichtenstein and Iceland) or to international organisations are allowed only if one of the following conditions is met:

the third country is recognised as providing an adequate level of protection via an adequacy decision adopted by the European Commission;

adequate safeguards are implemented (e.g. EU Standard Contractual Clauses, BCR, approved certification or code of conduct.);

a derogation provided for in article 49 is applicable (e.g. express consent, vital interest etc.).

Schrems II: The EDPB Released a FAQ Awaiting its Guidance on the CJEU Judgment

Schrems II: The EDPB Released a FAQ Awaiting its Guidance on the CJEU Judgment

On 23 July 2020, the European Data Protection Board (EDPB) released a FAQ on the consequences of the CJEU’s judgement of 16 Juley 2020 (Schrems 2)

This judgment invalidates the Privacy Shield, an EU-US data transfer mechanisms, and conditions the validity of the Standards contractual clauses (SCCs), another transfer mechanisms, to the prior analysis of the level of protection provided by the third country recipient and the implementation of additional measures where necessary.

This FAQ  provides a glimpse of the position of the Authorities following the CJEU Decision that calls into question the possibility to transfer any personal data to the US. However, the EDPB remains relatively unspecific as it is currently working on more detailed guidance that should be released shortly.

CJEU: The Judgement on the Validity of the Standard Contractual Clauses Expected on July 16, 2020

CJEU: The Judgement on the Validity of the Standard Contractual Clauses Expected on July 16, 2020

The Court of Justice of the European Union (“CJEU”) announced that it will deliver its judgement in the Schrems II case (case C-311/18) on July 16, 2020.

This judgement will determine whether the Standard Contractual Clauses (“SCCs”) are a valid personal data transfer mechanism under the General Data Protection Regulation (“GDPR”).

This mechanism being widely used by companies to transfer personal data outside of the EU, the decision is eagerly awaited.