On June 18, 2021, the European Data Protection Board (EDPB) adopted its final Schrems II guidance on supplementary measures to support international data transfers. You can operationalize the EDPB’s guidance today with OneTrust’s expanded Schrems II Solutions which provide both EU exporters and importers with the support they need to comply with the EDPB’s final Schrems II guidance.

The CJEU’s ruling on the Schrems II case in July 2020 invalidated the EU-US Privacy Shield, meaning that organizations have had to find alternative mechanisms to rely on for the lawful transfer of personal data. In November 2020, the EDPB released draft guidelines on supplementary measures to ensure an appropriate level of protection when personal data is transferred from the EU to a third country. The EDPB has now released its final guidance on supplementary measures, providing exporters and importers with a clear outline to safeguard their data transfers.

What are the final EDPB Schrems II recommendations?

The EDPB’s final Schrems II guidance sets out clear contractual, organizational, and technical measures, including a six step roadmap, that allows data exporters and importers to ensure that their personal data protection is equivalent to the protection offered in the EU. The final guidance highlights the following updates:

• Emphasis is placed on exporters recognizing the importance of examining third country public authorities’ practices in their legal assessments to help determine whether the legislation or practices hinder the effectiveness of the Article 46 transfer tool.
• Exporters are encouraged to consider the practical experience of the importer when carrying out their assessments.
• The guidance highlights that the effectiveness of the data transfer tool may be affected by the legislation of the third country destination allowing its authorities to access the transferred data, even without the importer’s intervention.

OneTrust’s expanded Schrems II Solutions support both data exporters and importers to implement the EDPB’s guidance with an enhanced set of tools, guidance, and templates, all available on the platform today.

How do OneTrust’s expanded Schrems II solutions support exporters?

Data exporters can leverage OneTrust’s Schrems II Solutions to implement the EDPB’s six-step roadmap. With pre-built templates, exporters can assess third countries, carry out Transfer Impact Assessments (TIAs), and evaluate the effectiveness of their supplementary measures.

OneTrust helps exporters with a range of tasks, including:

• Map Transfers: Centrally document and visualize all cross-border transfers, relevant data importers, as well as the third countries involved.
• Verify Transfer Tool: For each transfer document, verify the transfer mechanism used, enabling a risk-based approach to prioritize further analysis.
• Assess Effectiveness: Leverage pre-built templates to carry out TIAs in collaboration with the data importer to determine the effectiveness of the transfer tool in the specific context of each transfer.
• Adopt Measures: Use pre-built templates based on the EDPB guidelines to determine the technical, contractual, or organizational supplementary measures that can be implemented if the transfer tool is deemed ineffective.
• Update Contracts: Action any necessary steps highlighted in the analysis, including updates to contracts and implementing technical controls.
• Monitor and Revaluate: Ensure the continued effectiveness of supplementary measures and that data importers honour their commitments by monitoring third-country developments and evaluating new transfers.

How can importers leverage OneTrust’s expanded Schrems II solutions?

OneTrust helps data importers ensure that appropriate operational processes, technical controls, and compliance mechanisms have been implemented across their organization. Importers can also leverage OneTrust’s expanded Schrems II Solutions for support with specific challenges posed by the Schrems II decision and the EDPB’s final guidelines, including:

• Third Country Assessments: Proactively assess third countries with pre-built assessment templates to be prepared for data exporter requests.
• Transparency Reporting: Centrally create, manage, and host a Transparency Report as part of your privacy policy, sharing information about government surveillance requests.
• Assessment Response Automation: Streamline your response to TIAs from data exporters with pre-answered questions creating a central answer bank, which can then be auto-applied to subsequent questionnaires using AI and NLP technology

The Schrems II decision continues to pose operational challenges for organizations, but the EDPB’s final guidance on supplementary measures provide much needed guidance on the future of safe and lawful international data transfers to third countries. For information on how OneTrust can support compliance with the Schrems II decision and the EDPB’s latest guidance, check out OneTrust’s Schrems II Solutions.

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on the EDPB’s final Schrems II Guidance.