Privacy Talk

Pdf version Archive Subscribe
Your business • January 2021

What impact does Schrems II have on transfers of personal data by your company?

What you need to know.

Did you know that on January 28, 1981, Convention 108, the Council of Europe's first legally binding international instrument in the field of data protection, was opened for signature? Since 2007, this has been the date on which we celebrate International Data Privacy Day! An ideal moment to look back at one of the past year’s most important developments in terms of data protection: the long-awaited Schrems II judgment of the European Court of Justice on the transfer of personal data outside the EEA.

On July 16, 2020, the Court of Justice declared the EU-US Privacy Shield to be invalid. The Court is of the opinion that the EU-US Privacy Shield offers too few guarantees to data subjects for the protection of their personal data in the US, in particular due to excessive interference by the US government. In concrete terms, this means that all transfers of personal data to the US based on the EU-US Privacy Shield have since become invalid.

Your company does not transfer personal data to the US? Keep reading nevertheless! Although the Court only declared the EU-US Privacy Shield to be invalid, it also ruled that from now on a « data transfer impact assessment » must be conducted for any transfer outside the EEA. Thus, the judgment has an impact on any company that transfers personal data outside the EEA, regardless of the mechanism invoked by the company. Do not forget that, since Brexit, transfers to the UK are also in principle considered to be transfers outside the EEA (although the EU-UK Trade and Cooperation Agreement still provides for an exception to this until at least April 30, 2021). 

What you need to do.

First of all, you have to identify all transfers of personal data outside the EEA. This also includes the mere storage of personal data with parties located outside the EEA. Then you must determine which mechanism your company can rely on for the transfer. This is nothing new. The Schrems II judgment makes it clear that you must also perform a data transfer impact assessment.

If one of the adequacy decisions of the European Commission applies to the third country, your company does not have to take any further steps (with the exception of monitoring the validity of the adequacy decision). In such a case, the European Commission has already carried out the data transfer impact assessment. The data transfer impact assessment also stops here if your company invokes one of the grounds for exception provided for in Article 49 of the GDPR for occasional transfers. 

If, on the other hand, your company uses the European Commission's Standard Contractual Clauses or has adopted binding corporate rules for intra-group transfers, you should always verify that the laws and practices of the third country do not undermine the effectiveness of the contract/the rules and, if necessary, take additional measures to protect the personal data transferred to the third country. In this regard, the EDPB recently published guidelines to assist companies in carrying out this analysis. For example, you need to check whether the data subjects can effectively exercise their rights in such third country, whether there is legislation in place that regulates the access of public authorities to personal data, and whether an independent data protection authority is active. The guidelines provide relevant information sources for this analysis. If the data transfer impact assessment shows that the legislation of the third country impairs the effectiveness of the transfer mechanism you are invoking, you must stop the transfer or provide for additional safeguards. The guidelines offer several examples of additional measures that can be taken.

It is advisable to document the data transfer impact assessment of each transfer in a central document, in case a data protection authority has any questions about this.

Finally, you still have some time for transfers to the UK. The transfer of personal data is still possible at least until April 30, 2021 without additional measures. This transition period can be extended by another two months and should give the European Commission enough time to determine whether an adequacy decision can be adopted for the UK. If there is no (timely) adequacy decision, your company will henceforth have to rely on a different mechanism (including data transfer impact assessment) or invoke one of the grounds for exception.

2021 therefore promises to be an interesting and exciting year for data protection as well!

Please consult our website or contact one of our team members if you have questions or require more information:

Laura Sente

senior associate
laura.sente@contrast.law

Have a look at our 'GDPR toolkit'

GDPR toolkit

Receive our ‘Privacy Talk’ directly in your inbox

Subscribe

Discover the previous issues in our Archive

Archive
In the Picture - November 2024

Nuts and bolts: the new EU repair rules
Books

Burgerlijk wetboek / Code civil
Articles

FIFA moet transferregels aanpassen na uitspraak Hof van Justitie in zaak-Diarra
More Newsletter

Log into your account

Forgot password? Not a member yet?

Forgot password?

Request a new password by providing your email address.

Log into your account

Password reset

Enter your new password.

Password registration

Enter a password to protect you personal pages.

Activate your account

Activate your account by providing your email address.

Thanks

You will receive an email with a link to enter a new password.

Close

Thanks

Your new password is successfully saved.

Close
Close

Cookies

This website uses cookies to improve your browsing experience and to better tailor the website to your preferences. For more information about cookies and the list of cookies used on this website, see our Cookie Statement.

Below you can indicate your cookie preferences:

ON

Essential cookies are cookies that are necessary for the correct functioning of the website (e.g., to avoid overload on the website, keeping it functional and accessible). These cookies can be placed without your consent.

ON

Functional cookies are cookies that are necessary to improve your browsing experience or to provide a functionality explicitly requested by you (e.g. remembering your settings). These cookies can also be placed without your consent.

Analytical cookies are cookies that collect information about how you use the website to improve search engine hits and the functioning of the website (e.g. we see how visitors move around the website when they are using it to ensure that visitors find what they are looking for easily). These cookies are only placed if you have given your consent.

Advertising cookies are cookies that collect information about your surf and search behaviour in order to offer you personalised advertising in ad spaces on websites based on your personal interests. These cookies are only placed if you have given your consent.

Social media cookies are cookies that make it possible to share certain features from the website on social media networks (e.g. Facebook). Furthermore, these cookies collect information about your surf and search behaviour on the website in order to offer you personalised promotions and advertising about our products on these social media networks. These cookies are only placed if you have given your consent. It is possible that these social media networks also use the information they collect through these cookies for their own purposes. You can find more information about this in the privacy statements of the respective social media networks.

   

You can always change these preferences via your Cookie preferences.