The Euro­pean Data Pro­tec­tion Aut­ho­ri­ty EDSA has published FAQ on the Schrems II judgment of the ECJ published. The­re is not much new in it. The EDSA

  • empha­si­zes that the fur­ther use of the Stan­dard Con­trac­tu­al Clau­ses is only per­mis­si­ble or suf­fi­ci­ent if the Export­er pre­vious­ly done his home­work has:

    Whe­ther or not you can trans­fer per­so­nal data on the basis of SCCs will depend on the result of your assess­ment, taking into account the cir­cum­stances of the trans­fers, and sup­ple­men­ta­ry mea­su­res you could put in place. The sup­ple­men­ta­ry mea­su­res along with SCCs, fol­lo­wing a case-by-case ana­ly­sis of the cir­cum­stances sur­roun­ding the trans­fer, would have to ensu­re that U.S. law does not impinge on the ade­qua­te level of pro­tec­tion they gua­ran­tee. If you come to the con­clu­si­on that, taking into account the cir­cum­stances of the trans­fer and pos­si­ble sup­ple­men­ta­ry mea­su­res, appro­pria­te safe­guards would not be ensu­red, you are requi­red to sus­pend or end the trans­fer of per­so­nal data. Howe­ver, if you are inten­ding to keep trans­fer­ring data despi­te this con­clu­si­on, you must noti­fy your com­pe­tent SA.

  • gives (few) hints about the Excep­tio­nal rea­sons accor­ding to Art. 49 DSGVO (e.g. expli­cit consent);
  • holds that it curr­ent­ly ana­ly­zing pos­si­ble addi­tio­nal pro­vi­si­ons to SCC:

    The EDPB is curr­ent­ly ana­ly­zing the Court’s judgment to deter­mi­ne the kind of sup­ple­men­ta­ry mea­su­res that could be pro­vi­ded in addi­ti­on to SCCs or BCRs, whe­ther legal, tech­ni­cal or orga­nizatio­nal mea­su­res, to trans­fer data to third count­ries whe­re SCCs or BCRs will not pro­vi­de the suf­fi­ci­ent level of gua­ran­tees on their own.

AI-gene­ra­ted takea­ways can be wrong.