Schrems II Action Plan: How Working with Vendors Will Change

In July 2020, the CJEU’s Schrems II judgment invalidated the EU-US Privacy Shield and required additional safeguards when using standard contractual clauses (SCCs) to transfer personal data from the EU to non-EU/EEA third countries. As a result, many organizations had to find alternative mechanisms to lawfully transfer personal data and evaluate the level of data protection in third countries. Since then, organizations have eagerly waited for the European Data Protection Board (EDPB) to provide clarity in its final Schrems II recommendations on supplementary measures for international personal data transfers. On June 18th, the EDPB released that guidance.

The EDPB’s recommendations outline a six-step roadmap to ensure the lawfulness of personal data transfers and describe specific technical, contractual, and organizational measures data exporters and data importers should consider implementing to ensure that transferred personal data enjoys an essentially equivalent level of data protection as that guaranteed in the EU.

So, what does this mean for your vendor risk management strategy? In this 30-minute webinar, we’ll discuss practical steps for adapting your vendor risk management strategy to meet the EDPB’s guidance. This will include:

• Overview of the six-step roadmap for international personal data transfers
• Key aspects to consider for assessing a third-country’s level of personal data protection
• How to evaluate and adopt supplementary measures for personal data transfers
• Next steps for your vendor risk management program