19 November 2020

Data transfers: new tools and new requirements

  • Quick read

Following the CJUE’s ruling in Schrems II, data transfers to the US can no longer be based on the Privacy Shield.

In addition, each data transfer to a third country based on GDPR “appropriate safeguard” (including standard contractual clauses (SCCs) and binding corporate rules (BCRs) must be individually assessed and documented to demonstrate that the law or practice of the third country does not impinge on the effectiveness of the safeguards the parties are relying on. The EDPB published practical recommendations to that end.

These new requirements apply to data transfers to the US, the UK after Brexit (ie from 1 January 2021) and, more generally, to any third country with no adequacy decision.

At the same time, SCCs are being entirely redesigned. Companies using SCCs will therefore need to update them.

The reality check

  • Are data transfers outside the EU (including to the US or the UK after Brexit) clearly identified?
  • Which transfer tools are currently used (SCCs, BCRs, Privacy Shield, adequacy decision…)?
  • Are these tools still appropriate?
  • If not, what is the roadmap for changing them or updating them (update of the SCCs, alternatives to the Privacy Shield, assessment of the law of third countries where data is transferred, implementation of supplementary measures…)?

Taylor Wessing can provide support

  • Audit your specific situation and implement a pragmatic action plan.
  • Choose the right transfer tools or applicable exceptions.
  • Assess and document the effectiveness of SCCs or BCRs in light of the law of the third country where data are transferred.
  • Where applicable, determine and implement the required supplementary measures to ensure an adequate level of protection of transferred data.
  • Identify transfers which can or must be based on the new SCCs, and so much more.


Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.


Related Insights

Data protection & cyber

Release of CNIL's investigation plan for 2023

17 March 2023
Quick read

by multiple authors

Click here to find out more
Information technology

Adoption by the European Parliament of the DSA and the DMA (the Digital Services Package)

Flash IP/IT

7 July 2022
Quick read

by multiple authors

Click here to find out more
Copyright & media law

AI-generated works: a dead end from a copyright law perspective

Flash IP

28 June 2022

by Marc Schuler and Inès Tribouillet

Click here to find out more