Is it necessary to take additional steps to ensure compliance with the Schrems II judgment when using the new SCCs? Is it still necessary to take EDPB guidance into account?

ANSWER

According to the judgment of the Court of Justice of the European Union in Schrems II (C-311/18), Clause 14 requires the parties, before entering into the SCCs, to assess whether the laws and practices of the third country to which the data is transferred, and which apply to the processing of personal data by the data importer, could prevent the importer from complying with the clauses. When conducting a "Transfer Impact Assessment", the parties should take into account, in particular, the circumstances of the transfer (e.g., the categories and format of the data, the type of recipient, the economic sector in which the transfer takes place, and the length of the processing chain), as well as the applicable laws and practices. The purpose of the assessment is to determine whether the laws and practices in the third country go beyond what is necessary and proportionate in a democratic society to achieve one of the objectives listed in Article 23(1) GDPR.

As part of the assessment, the parties may take into account various factors (see Clause 14, footnote 12), such as reliable information regarding the practical application of the law (e.g., case law or reports of independent authorities), the existence or absence of requests for disclosure from public authorities within the same sector, and, subject to strictly defined conditions, the documented practical experience of the data exporter and/or the data importer. If the assessment is negative, the parties may transfer data under the SCCs only if they implement additional ("supplementary") safeguards (e.g., technical measures ensuring data security, such as end-to-end encryption) that are appropriate to the circumstances and ensure compliance with the clauses. The same applies where the data exporter subsequently becomes aware that the data importer is no longer able to comply with the SCCs, including as a result of changes to the laws of the third country. In such a case, the data exporter will be required to suspend the transfer of data if it determines that adequate safeguards cannot be ensured, or if instructed to do so by the competent supervisory authority.

SCCs (Clause 14) should not be interpreted in isolation from other legal requirements but should be applied together with the detailed guidance issued by the European Data Protection Board (EDPB). See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (18 June 2021), available at: https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

The Recommendations include a roadmap of actions to be taken as part of the assessment, a list of possible sources of information for the assessment (Annex 3), and examples of supplementary measures (Annex 2).