On the 11th of November, the European Data Protection Board (‘EDPB’) issued its recommendations on the types of supplementary measures that organisations can adopt to ensure that their international data transfers are compliant with the GDPR. The recommendations, adopted by the EDPB, will now be submitted for public consultation.

In our data privacy summer series of webinars (recordings of which can be found here), we discussed the implications of the recent Schrems II decision, including the requirement for supplementary measures to protect certain international data transfers, and have been awaiting this guidance on what form these measures could take from the EDPB since that decision.

The good news for organisations is that Annex 2 of the recommendations sets out a number of helpful international data transfer use cases, accompanied by a recommended supplementary measure that could be employed by an organisation in order to ensure an essentially equivalent level of protection to that guaranteed under the GDPR.  However, it also gives example use cases where no form of supplementary measure could ensure an essentially equivalent level of protection and notes that in these cases, transfers of personal data would not be permitted.

Any organisation making transfers of personal data outside the EEA to a country that does not benefit from an adequacy decision from the European Commission should review this guidance and assess the implications for its current and future data flows.

If you would like help with this exercise, or in understanding the implications of the recommendations or the Schrems II decision, our data privacy team would be delighted to assist you.