The EDPB's recommendations on measures supplementing the non-EEA personal data transfer instruments and on essential European safeguards after the Schrems II judgment

Cyber, Privacy and Data Innovation Alert | November.24.2020

italiano: Le raccomandazioni dell’EDPB sulle misure che integrano gli strumenti di trasferimento dei dati personali extra SEE e sulle garanzie essenziali europee dopo la sentenza Schrems II

By: Ivan Rotunno, Giulia Rivarola di Roccella and Martina Acquaro

On November 10th , during its 41st plenary session, the European Data Protection Board (“EDPB”) approved the text containing recommendations on measures integrating the transfer instruments to ensure compliance with the level of protection of personal data similar to that provided by EU law.

The document, called “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”, is not the only measure of the Authority which, during its meeting in Brussels, also adopted the recommendations on the European Essential Guarantees for surveillance measures.

Through the Recommendations, the EPDB suggests that a mapping of all non-EU transfers that are carried out by the data controller should be carried out, also taking into account relationships with suppliers or distributors that have been operating with the company for some time.

Following the mapping process of individual relationships, the EDPB recommends that companies verify the mechanisms that constitute the legitimate conditions for the transfer of personal data.

The assessment of the adequacy of the cross-border relationship should continue with an assessment procedure aimed at verifying on a case-by-case basis the data and personal information protection safeguards offered by the legal orientation of the entity “importing” the data. 

The elements to be taken into consideration at this phase, according to the EDPB, must concern the provisions on the powers of interference of public authorities for monitoring and surveillance activities.

Once the reference regulations of the individual importers have been considered, the controller must provide for the implementation of security measures to ensure an adequate level of protection equivalent to European standards.

This phase is applied in circumstances where the State has not adopted an adequacy decision as a data transfer mechanism. In fact, the evaluation of the data controller has value in the case of the use of standard contractual clauses ("SCCs") referred to in art. 46 GDPR.

Annex 2: “examples of supplementary measures” lists a series of safeguards to meet the requirements for the transfer of personal data, in compliance with the GDPR.  However, as clarified by the Committee, the selection and implementation of one or more of the listed measures will not automatically authorise the transfer of personal data to the third country.

Recommendations 02/2020 provided by the EDPB aim to “provide elements which have to be assessed to determine whether the legal framework governing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference (and therefore as not impinging on the commitments taken in the art 46 GDPR transfer tool) or not. In particular, this should be carefully considered when the legislation governing the access to data by public authorities is ambiguous or not publicly available”.

When applied to data transfer cases through the use of Standard Contractual Clauses, the EDPB recommendations on European Essential Assurances may support the exporter in assessing the legislation of the importing country and in the verification of any interference by the authorities.


Further analysis is available in Italian: Le raccomandazioni dell’EDPB sulle misure che integrano gli strumenti di trasferimento dei dati personali extra SEE e sulle garanzie essenziali europee dopo la sentenza Schrems II