19 November 2020
Following the CJUE’s ruling in Schrems II, data transfers to the US can no longer be based on the Privacy Shield.
In addition, each data transfer to a third country based on GDPR “appropriate safeguard” (including standard contractual clauses (SCCs) and binding corporate rules (BCRs) must be individually assessed and documented to demonstrate that the law or practice of the third country does not impinge on the effectiveness of the safeguards the parties are relying on. The EDPB published practical recommendations to that end.
These new requirements apply to data transfers to the US, the UK after Brexit (ie from 1 January 2021) and, more generally, to any third country with no adequacy decision.
At the same time, SCCs are being entirely redesigned. Companies using SCCs will therefore need to update them.
by multiple authors
Flash IP/IT
by multiple authors
Flash IP
by Marc Schuler and Inès Tribouillet