On 18 June 2021, the European Data Protection Board adopted its final version on ‘supplementary measures’ for data transfers to third countries. The initial version from November 2020 received wide attention but left questions for the future of data transfers to third countries such as the U.S.
The new guidelines favour a risk-based approach allowing for a more in-depth review of each type of data transfer. In addition to local laws in the third countries, data exporters must also consider local practices. Such analysis may also indicate that certain “problematic” laws are not applied in practice and thus favour a data transfer.
Our detailed analysis of the new guidelines includes recommended steps before exporting data to third countries based on SCCs or BCRs.
Read the full text