Privacy International, LLP

Schrems II

Court of Justice of the European Union (“CJEU”) recent judgment C-311/18 (Schrems II) concluded that the privacy rights and protection granted to personal data collected in the European Economic Area (“EEA”) shall travel with the data. The Court also asserts this by clarifying that the level of protection in third countries need not be identical but essentially equivalent and upheld the validity of standard contractual clauses, as a transfer tool to facilitate the contractual equivalent levels of protection for data transferred to third countries.

Standard contractual clauses and other transfer tools mentioned under Article 46 of the General Data Protection Regulation (“GDPR”) need to be necessitated or sync where the personal data is processed. Controllers or processors, as an exporter, are responsible to verify, and where appropriate, in collaboration with the importer outside of the EEA, if the receiving country impinges on the effectiveness of the appropriate safeguards defined in Article 46, that additional data protection measures are in place.

In these circumstances, exporters shall implement supplementary measures that fill these gaps in the protection, and be in line with the principle of accountability of Article 5.2, which requires controllers to be responsible for, and able to demonstrate compliance with the GDPR principles relating to processing of personal data.


  1. The European Data Protection Board (‘EDPB”) advises, exporters, to know the data transfers by mapping all transfers of personal data to third countries. The exporter must also verify that the data transfer has adequate, relevant and is limited to what is necessary to the purposes for which was transferred and processed.
  2. Verify the transfer instrument that the cross-border transfer relies on (refer to Chapter V GDPR). If the European Commission has declared the country, to which the data is transfer to, identifies the data transfer as adequate, through the adequacy decisions under Article 45 GDPR, the business will not need to take any further steps, other than monitoring that the adequacy remains valid. In the absence of an adequacy decision, the business can rely on one of the transfer instruments listed under Articles 46 GDPR for transfers that are regular and repetitive.
  3. Assess if the law or practice of the third country may impose on the effectiveness of the appropriate safeguards of the transfer instruments the business is relying on. The assessment should primarily focus on receiving country’s legislation and the Article 46 GDPR transfer requirements and determine if the transfer undermines the required level of protection.
  4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the effectiveness of the Article 46 GDPR transfer instrument the business is relying on or intends to rely on is deficient in the context of the transfer.
  5. Take formal procedural steps to adopt the supplementary data protection measure(s) that may be required based on the Article 46 GDPR transfer requirements. The business may also need to consult the competent supervisory authorities on the supplemental measures to be implemented.
  6. Re-evaluate at the documented intervals the business agreed upon, the level of protection afforded to the data transferred to third countries is in place and to monitor if there are any developments that degrade the level of protection. The principle of accountability requires continuous vigilance of the level of protection of personal data that the business collects, transfers and processes.