On the 11th of November, the European Data Protection Board (‘EDPB’) issued its recommendations on the types of supplementary measures that organisations can adopt to ensure that their international data transfers are compliant with the GDPR. The recommendations, adopted by the EDPB, will now be submitted for public consultation.
In our data privacy summer series of webinars (recordings of which can be found here), we discussed the implications of the recent Schrems II decision, including the requirement for supplementary measures to protect certain international data transfers, and have been awaiting this guidance on what form these measures could take from the EDPB since that decision.
The good news for organisations is that Annex 2 of the recommendations sets out a number of helpful international data transfer use cases, accompanied by a recommended supplementary measure that could be employed by an organisation in order to ensure an essentially equivalent level of protection to that guaranteed under the GDPR. However, it also gives example use cases where no form of supplementary measure could ensure an essentially equivalent level of protection and notes that in these cases, transfers of personal data would not be permitted.
Any organisation making transfers of personal data outside the EEA to a country that does not benefit from an adequacy decision from the European Commission should review this guidance and assess the implications for its current and future data flows.
If you would like help with this exercise, or in understanding the implications of the recommendations or the Schrems II decision, our data privacy team would be delighted to assist you.
David Goodbrand
Partner
Commercial Contracts
David specialises in advising clients on outsourcing arrangements, IP licensing, complex commercial contracts, fintech and the use of information.
Written by
Related News, Insights & Events
Error.
No results.
From pitches to platforms: Harnessing IP & technology in a summer of sport
13/05/2026
We invite you to join us for our annual IP & technology conference, taking place at the Social Hub in Glasgow on Wednesday 13th May.
Is the definition of “personal data” having an identity crisis?
26/02/2026
The definition of “personal data” has been subject to recent scrutiny in both the EU and the UK. In this article, we explore some of the recent case law and commentary in both the UK and the EU.
The Interactive Entertainment Scotland manifesto: laying the policy foundations for a Scottish games super cluster
18/02/2026
This blog discusses Interactive Entertainment Scotland's (IES), first manifesto ahead of the Scottish Parliament elections in May 2026.
{name}
{properties.pageSummary}
{properties.eventName}
{properties.pageDate|date:dd/MM/yyyy}{properties.shortDescription}
{properties.headline}
{properties.pageDate|date:dd/MM/yyyy}
{properties.shortDescription}
