The German Conference of Independent Federal and State Data Protection Authorities (DSK) has issued a Press release to Judgment of the ECJ in the case of Schrems II published. It states that
- the existing standard contractual clauses for a transfer of personal data to the U.S. and other third countries can in principle continue to be used, but the ECJ has emphasized the responsibility of the controller and the recipient to assess whether the rights of the data subjects in the third country enjoy “an equivalent level of protection as in the Union”. If not, further measures to ensure the required level of protection should be considered. “However, the law of the third country must not affect these additional safeguards in such a way as to frustrate their effectiveness.” Further, “According to the ECJ ruling, standard contractual clauses without additional measures are generally not sufficient for data transfers to the USA.„
- The judgement’s evaluations also apply to BCRs. They, too, must guarantee a level of data protection essentially equivalent to that in the EU.
- The ECJ has also assigned a key role to the supervisory authorities in enforcing the GDPR. The German supervisory authorities will coordinate their approach in the European Data Protection Board.