DSK on the Schrems II ruling of the ECJ

The Ger­man Con­fe­rence of Inde­pen­dent Fede­ral and Sta­te Data Pro­tec­tion Aut­ho­ri­ties (DSK) has issued a Press release to Judgment of the ECJ in the case of Schrems II published. It sta­tes that

• the exi­sting stan­dard con­trac­tu­al clau­ses for a trans­fer of per­so­nal data to the U.S. and other third count­ries can in prin­ci­ple con­ti­n­ue to be used, but the ECJ has empha­si­zed the respon­si­bi­li­ty of the con­trol­ler and the reci­pi­ent to assess whe­ther the rights of the data sub­jects in the third coun­try enjoy “an equi­va­lent level of pro­tec­tion as in the Uni­on”. If not, fur­ther mea­su­res to ensu­re the requi­red level of pro­tec­tion should be con­side­red. “Howe­ver, the law of the third coun­try must not affect the­se addi­tio­nal safe­guards in such a way as to fru­stra­te their effec­ti­ve­ness.” Fur­ther, “Accor­ding to the ECJ ruling, stan­dard con­trac­tu­al clau­ses wit­hout addi­tio­nal mea­su­res are gene­ral­ly not suf­fi­ci­ent for data trans­fers to the USA.„
• The judgement’s eva­lua­tions also app­ly to BCRs. They, too, must gua­ran­tee a level of data pro­tec­tion essen­ti­al­ly equi­va­lent to that in the EU.
• The ECJ has also assi­gned a key role to the super­vi­so­ry aut­ho­ri­ties in enfor­cing the GDPR. The Ger­man super­vi­so­ry aut­ho­ri­ties will coor­di­na­te their approach in the Euro­pean Data Pro­tec­tion Board.