Schrems II forces processing agreements to be amended

Last week we reported on the Schrems II judgment of the European Court of Justice. The European data protection regulator, the European Data Protection Board (EDPB), has now drawn attention to the consequences for exporters and importers of personal data.

Main actions to be taken

First, exporters should thoroughly examine the legal basis for transfers of personal data to third countries. They will have to assess whether the instrument they use for the transfer of the personal data and the level of protection offered by the country of destination are still sufficient. In addition, the agreements previously made with processors must be reassessed. There is a good chance that these agreements laid down in processing agreements are no longer legally valid since Schrems II.

Immediately

The EDPB has emphasized that the declaration of invalidity of Privacy Shield by the Court has immediate effect. Any organization that transfers personal data to a third country must therefore take immediate action to avoid sanctions.

Not just the United States

Although that ruling by the Court was limited to transfers to the United States through Standard Contractual Clauses or the Privacy Shield, it appears from the judgment and the explanation of the EDPB that the rules formulated by the Court also apply to transfers to other third countries and transfer using other instruments.

Appropriate guarantees are not sufficient

The instruments that can be used for transfers to third countries that are not subject to an adequacy decision by the European Commission are in principle the appropriate safeguards from Article 46 of the GDPR. This includes, for example, the Standard Contractual Clauses (SCC) and the Binding Corporate Rules (BCR). In principle, because Schrems II has made it more than clear that the mere use of an appropriate guarantee is not sufficient.

A legally valid transfer also requires that the third country respects the level of protection required for the transfer (achieved by an appropriate guarantee).

If it turns out that the intended appropriate safeguard does not lead to a level of protection equivalent to that of the GDPR, the transfer may not take place and the agreement between exporter and importer may even have to be terminated.

What to do?

Despite the fact that the Court’s ruling is less than two weeks old, it is of great importance that organizations that used Privacy Shield take immediate action to bring their contracts in line with what the Court has determined.

Any transfer made under Standard Contractual Clauses or Binding Corporate Rules must be reviewed. An assessment will always have to take place, taking into account all circumstances of the transfer, including the nature of the personal data, the frequency of transfer, the (processor) agreement concluded with the importer and the level of protection of the third country.

The assessment will result in necessary actions to be taken. These actions may involve renegotiating existing agreements, entering into new agreements, or terminating invalid agreements.

Further information and contact

If your organization is involved in the transfer of personal data to a third country and you have questions or need legal support, please contact us. We are happy to assist you. For example, we can carry out an assessment of your existing contracts, support you in the transfer of invalid contracts and conduct research into the level of protection of a third country. Do you need Binding Corporate Rules? We are also happy to make these for you.

For more information, call 070 306 0033 or send an email to a.w.duthler@firstlawyers.nl.