The basic approach of the Schrems II guideline is the same as before. At the same time, the guideline has with new recommendation and clarifications. The biggest change is that recommendations opens to more emphasis on the practical experience of the data importer with surveillance legislation, but with some doubts.
In different points, the EDPB has made some changes and shades to the formulation, for example talking about the pseudonymization. The EDPB has considered that the pseudonymization is one of the instruments that the research environments shall be able to use practically and guidelines shall be read in the light of this.
Context
On the 16th of July 2020 the European Court of Justice has issued the so-called Schrems II Judgement. The Judgement affirms that is not enough to use a valid legal transference basis, like the standard disposals of the European Commission, in order to transfer personal data out of the EEA. It is important to guarantee that the high protection level that we have in the EEA is kept practically. This has created big challenges, especially for companies which are transferred personal information in the USA.
In November 2020, the EDPB has issued a guideline on Schrems II and on what this judgement means for the personal data processing. This guideline has been under a public consultation and on this basis the EDPB has reviewed it. The revised guideline can be found on the website of the EDPB.
The Data Inspectorate will give additional information
Since the recommendation of the EDPB have been published, the State Data Inspectorate is planned to prepare in a short time updated guideline on the transference of personal data to third countries. Meanwhile, the Authority is asking that all the orientation requirements on Schrems II are addressed at the appropriate phone number.
edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en (1)