During its latest plenary session, the EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in draft in November 2020 following the CJEU ruling in the Schrems II case. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection for the data they transfer to third countries.
The final version of the Recommendations includes several changes addressing feedback from the consultation. Among the main modifications are:
- the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to decide if the legislation and/or practices of the third country affect the effectiveness of the Article 46 GDPR transfer tool;
- the possibility that the data exporter considers in its assessment the practical experience of the data importer, among other elements and with certain caveats; and
- the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also affect the effectiveness of the transfer tool.
The European Commission has recently published new standard contractual clauses for international transfers and the Recommendations aim to provide assistance in relation to clause 14 of the new clauses and the possible need to implement supplementary measures.
The EDPB also adopted a letter addressed to EU Institutions on the privacy and data protection aspects of a possible digital euro. In the letter, the EDPB stresses that a very high standard of privacy and data protection is crucial to reinforce the trust of end users and should be considered a distinctive element in the offering of a digital euro, representing a key factor of success. Such concerns should be taken into account from the design stage. In addition, the EDPB recommends that the EU body in charge of the design of the project performs a high-level data protection impact assessment.
Finally, the EDPB also adopted a joint EDPB-EDPS opinion on the draft AI Regulation.