Schrems II: Dealing with international transfers

December 15, 2020


It’s been a busy time for privacy professionals over the past few months and there is no doubt that it’s going to get even busier with the new Schrems II recommendations that were published on November 11, 2020, by the European Data Protection Board (EDPB). With the significant development of the European Data Protection Board releasing their recommendations following the Schrems II decision, privacy experts are staying on their toes. Throughout this blog, we’ll discuss the EDPB’s recommendations.

Watch the Webinar: Schrems II Fallout — Dealing with International Transfers Post Schrems II

A brief synopsis of key points from the Schrems II decision

Two key points that came from the Schrems II decision were the invalidation of the Privacy Shield Program and the primary obligation of data importers and exporters to verify through an assessment, prior to any transfer, the laws of the third country outside of the EU where data is being transferred to.

Neither the court in Scherms II nor the EDPB in its subsequent guidance in July specified in detail what the assessment or the supplementary measures may involve. With the recommendations that were just released the details of what these assessments entail and what should be considered have been revealed. 

What are the supplementary measures recommendations for Schrems II?

The first set of recommendations covers the actual assessment and the supplementary measures that data exporters may need to adopt for compliance of an EU level of personal data protection. The key elements of these recommendations consist of six steps that need to be taken by data exporters: 

  1. Map Data Transfers: Data exporters are advised to identify in the document their data transfers by mapping out international transfers from the EU. The EDPB suggests that companies may want to use their Article 30 data processing record to assist in this process.
  2. Identify Data Transfer Mechanisms: This step entails verifying, when you are transferring the data outside of the EU, whether the data is going to a recipient country that is adequate and to identify, for each transfer, the appropriate Article 46 safeguards, or Article 49 derogations. This supplements the data mapping exercise by looking at these transfers and identifying which is a legal mechanism to be used for each transfer.
  3. Assess the Recipient Country’s Legal Order: This key step is to assess the legislation and laws of the recipient country. Companies must determine whether the country provides an adequate level of protection. In addition, other matters need to be considered such as the actors that are involved in the transfer. Is the data being transferred to controllers, processors, or sub-processors? In assessing the third country’s legal order you are also required to have reference to the Four Essential Guarantees. 
  4. Identifying Supplementary Protective Measures: The fourth step is to identify whether supplementary measures should be put in place. These importantly are only necessary if the assessment in step 3 reveals that the third country law impinges upon the effectiveness of the Article 46 safeguard. The recommendations go through several non-exhaustive examples of technical, organizational, and contractual measures that may be put in place to provide these supplementary protective measures.
  5. Take Formal Steps for the Adoption of Supplementary Measures 
  6. Re-evaluate the Protection of Your Data Transfers at Appropriate Intervals and Monitor Developments

Read the blog: Schrems II Decision: EDPB Publishes Recommendations

Other considerations and thoughts on Schrems II:

One of the overarching concerns that the US government has, according to the white paper the US government issued, is that there needs to be timely and detailed advice. On the US side, part of the frustration is that the Schrems II decision itself doesn’t really examine US surveillance authorities. There is still a disconnect on how it seems that the EDPB looks at how US surveillance authorities work and how those authorities work in practice. There also concerns about the level of work that will be required to be compliant with these guidelines and what that entails for companies today.

Want to learn more about the Schrems II decision? Watch this webinar. 

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more