The judgment of the Court of Justice of the European Communities of Thursday 16 July 2020 in the Schrems II case established that the Privacy Shield is no longer a valid possibility to transmit personal data outside the EEA. Standard Contractual Clauses (SGB) remain valid. For more information, please see our latest explanation. With regard to international data transfers, Privacy Shield is an authorised solution to the extent that personal data arrives from the EEA to the United States, but if data is transferred across borders, other solutions, such as standard contractual clauses approved by the European Commission or binding corporate rules, may be more appropriate. The rules applicable to transfers outside the EEA remain similar to the current GDPR rules. Although the UK will make its own adequacy decisions at the end of the transition period, the UK Government has confirmed its intention to recognise, to the extent possible, existing EU adequacy decisions, approved KICs and BCRs. The Article 29 Group has developed a series of working documents on the idea of using the BCR to provide adequate safeguards for the prior transfer of limited credit transfers. These form a “toolbox” for organizations. The documents, including application forms and guidelines, have all been reviewed and updated in accordance with the GDPR (see “In detail” below). Schrems II – In the current case, the Court of Justice of the European Communities is invited to assess the validity of the Standard Contractual Clauses (SCC) approved by the European Commission. Given that hundreds of thousands of companies depend on this SCC for their international data transfers, the decision will be even more effective in this regard. The Advocate General has today presented his Opinion.
Although the Tribunal is not bound by this counsel and will make its own decision, the GA`s observations are generally considered to be determinative. In each scenario, the parties should have an understanding and record of the underlying personal data that will be transferred in order to be sure of their own responsibilities and the responsibilities of the third party concerned that will be reflected in the transfer contract. Personal data is transmitted by a controller in France to a controller in Ireland (both EEA countries) via a server in Australia. There is no intention to access or manipulate personal data while it is in Australia. Therefore, the transfer only takes place in Ireland. In addition, the GDPR introduces a new and limited derogation for unsheathed transmissions involving a limited number of data subjects. In the absence of another legal basis, the transfer shall be permitted if it is necessary for the purposes of the legitimate interests of the data exporter, which are not overted by the interests of the data subject, and if the exporter has provided appropriate safeguards for the data transmitted. In such cases, the exporter must inform the competent data protection authority and the data subject of the transmission.
If you enter into a new contract, you must use the default contractual clauses in full and without modification. They may add additional clauses on matters related to the cases, unless they are contrary to the standard contractual clauses. You can also add parties (i.e. importers or exporters of additional data) as long as they are also bound by the standard contractual clauses. You can make a limited transfer if the recipient has signed a code of conduct approved by a supervisory authority. The code of conduct must include appropriate safeguards to protect the rights of persons whose personal data have been transmitted and who can be directly applied. . . .