EDPB Releases Recommendations for Supplementary Measures for Transfers of Personal Data to Recipients Outside the European Union

On November 11, 2020, the European Data Protection Board (“EDPB”) released two documents as a follow-up to the Court of Justice of the European Union’s (“CJEU”) notable July 2020 decision, known as Schrems II. These documents are intended to assist companies navigating the ever-evolving world of data transfers from the EU to third countries. The “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (the “Recommendations”) were adopted on November 10 and are open for public consultation until November 30. They provide data exporters, or the parties sending personal data out of the EU to third countries, with a set of steps to take in order to help with the “complex task of assessing third countries and identifying appropriate supplementary measures where needed.” The other document, entitled “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” (“EU Essential Guarantees”) and providing further information for the assessment of third countries, was adopted outright.

Public Consultation on Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679

The European Data Protection Board (“EDPB”), has just issued a consultation which aims to clarify and establish a common understanding of the notion of the terms “relevant and reasoned” under the General Data Protection Regulation (“GDPR”). With the cooperation mechanism set out by the GDPR, the supervisory authorities (“SAs”) must ensure that relevant information is exchanged with each other in order to reach consensus.

Analyzing The EDPB’s Guidelines On Article 28 Data Processing Agreements

Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.

In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.