ARTICLE
15 July 2022

EDPB Statement About Transfers Of Personal Data To Russia

EH
ELVINGER HOSS PRUSSEN, société anonyme

Contributor

Independent in structure and spirit, Elvinger Hoss Prussen guides clients on their most critical Luxembourg legal matters. Committed to excellence and creativity in legal practice, our firm delivers the best possible advice for businesses, institutions and entrepreneurs, playing a unique role in the development of Luxembourg as a financial centre.
On 12 July 2022, the European Data Protection Board (the "EDPB") published a Statement 02/2022 on personal data transfers to the Russian Federation.
Russian Federation Privacy

What happened?

On 12 July 2022, the European Data Protection Board (the “EDPB”) published a Statement 02/2022 on personal data transfers to the Russian Federation. As a consequence of the war initiated by the Russian Federation against Ukraine, Russia has been excluded from the Council of Europe and is therefore no longer a contracting party to its respective conventions and protocols. Russia will also cease to be a contracting party to the European Convention on Human Rights as of 16 September 2022. According to the EDPB, these changes will have a significant impact on the level of protection of data subjects with respect to the transfers of personal data from the European Economic Area (the “EEA”) to Russia.

In their statement, the EDPB does not comment on the lawfulness or unlawfulness of such transfers. The EDPB rather concludes that frequent exchanges of personal data still exist due to “close economic and historic ties” and that supervisory authorities continue to monitor legislative changes and other relevant developments in Russia that may have an impact on data transfers.

What are the next steps?

Following the Schrems II ruling and the successive recommendations of the EDPB, data exporters are responsible for assessing whether, in the context of a transfer of personal data, the applicable legislation in the destination jurisdiction is likely to undermine the effectiveness of the appropriate safeguards of the instruments of Chapter V GDPR:

  • if this is the case, exporters should identify and adopt the additional measures that are necessary to ensure a level of protection for data subjects that is substantially equivalent to that guaranteed within the EEA;
  • if this is not the case and no additional measures can be identified, data exporters should suspend the data transfers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More