Safeguards to supplement transfer tools

The level of protection for personal data must be essentially equivalent to that guaranteed within the EU when transferring data to international organisations and third countries outside the European Economic Area. Before personal data can be transferred outside the EEA, the controller or processor of personal data must ensure that an adequate level of data protection is guaranteed for the personal data to be transferred. If the basis for the transfer does not guarantee adequate protection in itself, it can be supplemented in certain cases with different kinds of technical, organisational or agreement-based additional safeguards.

The controllers and processors of personal data that are transferring the data must check on a case-by-case basis if the legislation of the third country guarantees a level of protection for the personal data to be transferred that is essentially equivalent to that of the European Economic Area. The assessment must take account of the case-by-case conditions of the transfer, the legislation of the third country in question and the applicable basis for the transfer. The data exporters are responsible for drawing up a concrete assessment. The assessment must also be documented carefully.

If the safeguards included in the basis for transfer are not sufficient as such, they can be supplemented in certain cases with technical, organisational or agreement-based additional safeguards. It may not be possible to implement sufficient supplementary safeguards in all cases. In that case, the transfer of data to a third country cannot be started, or the transfer of data must be stopped.

The European Data Protection Board has published recommendations that help controllers and processors of personal data assess the need for appropriate supplementary safeguards and choose the safeguards suitable for the situation.

The Schrems II judgment specified the requirements for data transfers

The Schrems II judgment (C-311/18) of the Court of Justice of the European Union has a significant impact on the transfers of personal data outside the EEA. The judgment issued in July 2020 specified the requirements on international transfers of personal data that must be met in order to legally transfer personal data from the European Economic Area to a third country or an international organisation.

In the Schrems II decision, the Court of Justice stated its opinion on issues such as the use of standard contractual clauses (SCCs) approved by the Commission as the basis for the transfer of data. The judgment emphasises that the controllers and processors of personal data must assess the need for safeguards supplementing the standard contractual clauses and other bases for the transfer of data in order to ensure that the level of data protection meets the EU requirements.

The goal of the EDPB is to ensure that the General Data Protection Regulation (GDPR) and the judgment of the Court are applied systematically throughout the whole EEA. The answers to the most frequently asked questions about the Schrems II judgment published by the EDPB list the things that controllers and processors of personal data must take into account when transferring the data.

Frequently Asked Questions on the Schrems II judgment of the Court of Justice of the European Union (pdf)