The data protection authority in Baden-Württemberg (State Commissioner for Data Protection and Information Security, LfDI) has issued a Orientation guide to Decision of the ECJ of July 16, 2020 on Schrems II published. In it, it comments on the ruling and formulates concrete recommendations for action for companies that still intend to use personal data based on the standard contractual clauses (SCC) to a third country. Overall, the LfDI states that, in particular, a transfer to the USA on the basis of the SCC is “conceivable”, but that the ECJ’s requirements for additional safeguards are met “only in rare cases”.
First, the LfDI states the following:
- The Privacy Shield is invalid with immediate effect.
- The SCC continue to apply, but only on condition that an adequate level of protection for the personal data of the data subjects is actually ensured in the EU/EEA. This requires, on the one hand, appropriate safeguards and, on the other hand, that enforceable rights and effective remedies are available to data subjects. If local authorities in the third country can interfere excessively with the rights of the data subject, then with comprehensive access to their data, is not an adequate level of protection given and additional measures are required in addition to the SCC.
- If an adequate level of protection cannot be achieved by these measures, the transfer must be omitted or suspended. Likewise, the competent authority in the country of the data exporter (in the EU/EEA) must prohibit such a transfer.
From this, the LfDI derives the following:
- If a data exporter intends to continue to base data transfers from the EU/EEA to the U.S. on the SCC, it must provide additional safeguardswhich prevent access by US authorities (e.g. intelligence services), namely through Encryption, anonymization or pseudonymization of the personal data in question, whereby only he may possess the key for re-identification;
- Transfers to other third countries are also only permitted after prior examination of the local legal situation (existing access possibilities by the authorities there, additional measures);
- If the aforementioned measures cannot ensure an adequate level of protection, a Transmission according to 49 GDPR according to wording Only in exceptional cases and only in individual cases conceivable, such as in the case of consent of the data subjects, within the framework of a contract or for the assertion of legal claims (cf. also Recital 111).
Finally, the LfDI formulates concrete instructions for action for affected companies:
- Inventory about the relevant Data transmissions to third countries (including accesses from such countries);
- Information of the contracting parties about the judgment as well as the related consequences on the contractual relationship;
- Examination of the legal situation and the existence of an adequacy decision for the third country in question;
- Testing the use of the SCCHowever, in cases of unrestricted access by local authorities (e.g. mass retrieval of data without information and procedural remedies for the data subjects), this must be denied in accordance with the above statements.
Furthermore, the LfDI proposes various adjustments to the annex of the SCC for controller processor Data transfers before. The companies are required to make these adjustments, in particular to meet their “Demonstrate and document the will to act in accordance with the law”. The amendments relate, among other things, to the expansion of the data exporter’s information obligations to the data subjects, which are to be fulfilled in the case of any The data importer’s obligation to disclose data only after a final and binding decision of a public authority, as well as further adjustments with regard to the dispute resolution procedure and a specific clause on indemnification between the parties (cf. Section IV.).
If a data transfer cannot be made in accordance with these additional conditions, the only remaining option is a transfer in accordance with the aforementioned exemption provision under Art. 49 GDPR. In the case of group structures or individual agreements, this could be considered as a last resort.
Finally, the LfDI makes it clear that intended data transfers in the form described are only permissible if the data exporter can convince the authority that the service provider/contract partner used “with transfer problems” cannot be replaced in the short and medium term by a service provider/contract partner “without transfer problems”. Otherwise, the data transfer in question is prohibited. For companies, this would mean that, according to the practice of the LfDI, data transfers to the U.S. would only be permissible if no European service provider comes into question as an alternative.