The European Data Protection Authority EDSA has published FAQ on the Schrems II judgment of the ECJ published. There is not much new in it. The EDSA
- emphasizes that the further use of the Standard Contractual Clauses is only permissible or sufficient if the Exporter previously done his homework has:
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.
- gives (few) hints about the Exceptional reasons according to Art. 49 DSGVO (e.g. explicit consent);
- holds that it currently analyzing possible additional provisions to SCC:
The EDPB is currently analyzing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organizational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.