Schrems II Update - July

In the past weeks, there have been a number of developments related to the consequences of the decision of the Court of Justice of the European Union (CJEU) in Schrems II. We summarised the final Recommendations of the European Data Protection Board (EDPB) on Schrems II supplementary measures here. The most noteworthy developments from national supervisory authorities are summarised below: 

• On 23 June 2021, the French supervisory authority (CNIL) issued guidance aimed to assist controllers with identifying international data transfers to third countries, conducting assessments and implementing measures to comply with the Schrems II. The CNIL provides a checklist for internal and external systems, services and related contracts that typically include data transfers outside the EU. The CNIL further recommends identifying business-critical transfers (i.e. in terms of risks to data subjects, risks to availability and security of information systems of the controller or third parties and reputational risks) and adopting action plans to achieve Schrems II compliance. The action plans, signed off by the organisation’s top management, should include assessment whether specific transfers have legal basis and identify possible solutions, including implementing supplementary technical, organisational or contractual measures or discontinuing the transfer. Transfers outside the EU should be subject to regular evaluation and review to verify changes in the transfers or the laws of the third country. The CNIL also updated its FAQs on the Schrems II judgment and its guidance on the consequences of the Schrems II judgment on transfers to the US. The most recent CNIL guidance is available here, the updated Schrems II guidance here and the updated FAQs here (all only available in French). 
• On 22 June 2021, the Hessian supervisory authority (Hessian DPA) published a statement commenting on Schrems II. The statement highlights that organisations should be aware that transfers of personal data to third countries (including the USA) are not permitted without implementing supplementary measures. Controllers should verify their international data transfer practices and demonstrate that they carried out the necessary assessments and, if necessary, have taken the initial steps to ensure that the requirements of the GDPR are met. The Hessian DPA also notes that for complex processing situations, companies should draw up appropriate implementation roadmaps and consider seeking advice from the Hessian DPA. The press release is available here (only in German). 
• On 21 June 2021, the national conference of German federal and state data protection authorities (DSK) published a statement on the EC’s new standard contractual clauses (SCCs) and the EDPB’s Recommendations 01/2020 on measures that supplement transfer tools. The DSK notes in its statement that the new SCCs may serve as a legal transfer tool, however, organisations are required to examine the law and practice of the third country of the recipient, as supplementary measures may be necessary. The DSK clarifies that if the level of data protection in a third country does not meet the required level of protection, the transfer should not take place. The DSK press releases are available here and here (both only available in German).