On 11 November 2020 the European Data Protection Board ("EDPB") issued recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, and recommendations on the European Essential Guarantees for surveillance measures. The recommendations, resulting from a high-level Schrems II judgment, are intended to help data controllers and processors fulfil their obligation to define and implement appropriate complementary measures when transferring personal data to third countries.
In short, the recommendations contain a plan of actions to be taken by data exporters to determine whether it is necessary to implement complementary measures to transfer data outside the EEA in compliance with EU law, and to identify the most effective measures in each case. The recommendations also present an open catalogue of examples of complementary measures and how they could work for the given data transfer. Consultations for complementary measures will be ongoing until 21 December 2020.
Continuing its work, on 19 November 2020 the EDPB presented the long-anticipated new sets of standard contractual clauses between controllers and processors, and another one for data transfers outside the EU, as well as a statement on the ePrivacy Regulation and the future role of supervisory authorities and the EDPB ("Statement"). According to the Statement, the competent authority with respect to the ePrivacy Regulation should be the data protection office. In Poland it would mean transferring part of the responsibilities from the Office of Electronic Communications (Urzad Komunikacji Elektronicznej) to the Polish Data Protection Office (Urzad Ochrony Danych Osobowych).
The Statement can be found at here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.