The decision by the Court of Justice of the European Union in “Schrems II” provides that the controller-to-processor standard contractual clauses are a viable mechanism for data transfers from the EU to third countries but identified further conditions that need to be considered when implementing them to address the requirement to provide “adequate protection” to such transfers.
The CJEU put the onus on data exporters to determine whether the exporter’s implementation of the C2P SCCs provides sufficient protection in light of any access by the public authorities in the third country to the personal data transferred and the relevant aspects of the legal system of such third country. It further notes that individual member state data protection authorities are empowered to evaluate the adequacy of the C2P SCCs adopted in any case and that those authorities should suspend or ban data transfers whenever the factual conditions render the C2P SCCs an ineffective mechanism to ensure the protection of the personal data transferred.
Click here to continue reading.
Note: This is the second in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.