In essence:
Know your transfers/establish your place of destination
Choose a transfer tool (Adequacy Decision, Appropriate Safeguards-SCCs,BCRs, Derogations),
Assess the recipient country’s privacy and data protection regulatory framework,
Apply the necessary supplementary measures
Assess their applicability
Re-Evaluate regularly.
Germany: Using Mailchimp to send newsletters to the EU is illegal. Do we have other solutions? – DPO-net.RO. Following a complaint regarding non-compliance with Art.44 GDPR, the German Supervisory Authority (BayLDA) considered it illegal for a German company (FOGS Magazin, Munich) to use Mailchimp 's services (The Rocket Science Group LLC, USA) to send newsletters, as Mailchimp may qualify as an "electronic communications service provider" under US surveillance law, and the EU data controller has not assessed this risk.
German Supervisory Authority (BayLDA) presented the following arguments: Mailchimp qualifies as an "electronic communications service provider" under US surveillance law (FISA702 (50 USC § 1881)). As FOGS Magazin stated that it would immediately stop using Mailchimp, the German Supervisory Authority (BayLDA) did not impose a fine or a corrective measure. "Following our investigation, the controller informed us that it used Mailchimp twice to send newsletters. Due to our intervention, the company has now announced that it will stop using Mailchimp with immediate effect. EU: EDPB recommendations on supplementary measures shed light on post Schrems II data transfers. The Supplementary Measures Recommendations aim to assist controllers as well as processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where the same are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
On the other hand, the Essential Guarantees Recommendations, an updated version of the ones issued following Maximillian Schrems v. Data Transfers Post Schrems-II: Draft EDPB Recommendations and New SCCs Now Available. Updated ICO statement on recommendations published by the European Data Protection Board following the Schrems II case. An ICO spokesperson said:
Olga Kagan. New EU SCCs: A modernized approach. On Nov. 12, 2020, the European Commission charted a new path for global data protection.
With privacy professionals still reeling after dissecting the detailed recommendations on supplementary measures put forward by the European Data Protection Board the day prior, it is possible some consequential elements of the European Commission’s draft implementing decision on standard contractual clauses for the transfer of personal data to third countries slipped past unnoticed. The commission’s draft decision includes a yearlong transition period, providing privacy professionals a moment to breathe. But, the moment will be brief. Under the commission’s proposal, companies will need to phase out and replace all existing SCCs within 12 months of the decision’s adoption, an enormous task for many.
The draft SCCs merit our full attention and a close read, particularly by those interested in sharing feedback during the public consultation, which runs through Dec. 10. Modernized contracts What else? “Schrems III”? First Thoughts on the EDPB post-Schrems II Recommendations on International Data Transfers (Part 1) – European Law Blog. 13 November 2020/ By Theodore Christakis No, there has been no new “Schrems” judgment from the CJEU.
But the publication of the post-Schrems II “Recommendations” by the European Data Protection Board (EDPB) on November 11, 2020, is such a huge aftershock than one could mistake it for an entirely new earthquake shaking the international data transfer system. After the Court of Justice of the EU (CJEU) in Schrems II on July 16, 2020 (analysed here, here and here in the blog) almost closed the door on personal data being allowed to leave Europe, some might have hoped that the EDPB would open several windows to enable the data to find its way out of the bloc. It did not. Schrems II-proof new Standard Contractual Clauses proposed by the Eur - Hogan Lovells Engage.
Unlike their predecessors, the draft new SCCs take into account the CJEU's Schrems II decision by including specific provisions dealing government access requests.
The documentation issued by the European Commission, which is open for public consultation until December 10, 2020, includes the draft Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, and the draft Annex to the Commission Implementing Decision with the proposed new SCCs. A modular approach Unlike the existing sets of SCCs, which included two different versions (controller-to-controller and controller-to-processor), the new SCCs adopt a modular concept that cater to various transfer scenarios: Controller to controller transfers; Controller to processor transfers; Processor to processor transfers; and Processor to controller transfers. Ensuring International Data Flows after Schrems II. Background and Issue On July 16, 2020, the CJEU invalidated the EU–U.S.
Privacy Shield with immediate effect in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (called "Schrems II," see our previous Commentary on this case). The court upheld the EU Standard Contractual Clauses ("SCCs") for the transfer of personal data to processors outside the European Union/European Economic Area ("EU/EEA") under certain conditions, underscoring the need for companies to conduct an assessment of whether "supplementary measures" needed to be adopted to provide for an essentially equivalent level of data protection. Lack of Practical Guidance from Authorities Since then, various authorities on either side of the pond have commented on their understanding of the Schrems II judgment and its far-reaching implications, while companies have waited for practical suggestions. U.S. Two weeks after Schrems II, on July 31, 2020, the U.S.
Schrems II Invalidation of the Privacy Shield by the ECJ. Les professionnels du droit et la protection des données. Par Tara Taubman-Bassirian, Juriste. Tout d’abord, quelles sont à cet égard les spécificités des professions du droit et qui vise-t-on ?
Auxiliaires de justice, avocats, huissiers, notaires. Tous femmes et hommes de droit, au service de la justice, un des piliers majeurs de la démocratie. Ce sont des techniciens du droit, ils sont qualifiés pour lire et interpréter les lois et règlements. Ils savent rédiger et manier les termes techniques sur les droits et obligations en vigueur. Ils sont tenus par le secret professionnel. Ils se voient confier des données personnelles de tous genre, souvent de nature sensible ou, pour reprendre le terme exact introduit par le RGDP, « des données personnelles à caractère sensible » Article 9 RGDP. Nous laisserons de côté les juridictions. Y sont donc inclus les données personnelles des enfants, de certains membres de la famille et lorsqu’un témoignage sera versé au dossier, l’attestation s’accompagnera de la pièce d’identité du témoin pour être valide. Des cas de dérogations ont été prévues.
Edpb recommendations 202001 supplementarymeasurestransferstools en. Finally some practical EDPB guidance on how to make international data transfers lawful. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. EDPB Publishes Draft Recommendations on Supplementary Measures for Data Transfers. On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations.
These recommendations are critical for any companies exporting or importing EU personal data. The first set contains a roadmap of the steps data exporters should take when relying on EU-approved data transfer mechanisms to transfer data from the European Economic Area (EEA) to another country (Transfer Tool Recommendations). The second set of recommendations provides guidance on how to assess a third country’s surveillance measures when exporting personal data outside of the EEA (European Essential Guarantees (EEG) Recommendations).
The latter are relevant to businesses when assessing a third country’s level of data protection, and to DPAs when assessing a third country’s adequacy. Background On July 16, 2020, the European Court of Justice (ECJ) invalidated the EU-U.S. Conclusions and Next Steps [1] Article 49 GDPR.
First impressions: New EU Standard Contractual Clauses - the Good, the Bad, and the Ugly.