How to comply with GPRD regulations after the Schrems II Ruling

International data transfers between the European Economic Area and the United States were until recently “guaranteed” secure. First with the Safe Harbor, annulled by the ECJ in 2015. Then by the Privacy Shield, which has been invalidated since last July. The Schrems I and II rulings are among the most relevant in terms of data protection. And now what will happen to the European subsidiaries that transfer data to their parent companies in the USA?

Is it necessary to do something after the Schrems II ruling?

The GDPR is based on guaranteeing an adequate level of protection for our personal data. International data transfers cannot undermine this protection. The Privacy Shield is incompatible with the pillars of the GDPR. International data transfers cannot be carried out if they do not guarantee a level of protection comparable to that offered by the GDPR. US regulations fail to achieve this.

First of all, do we have a grace period?

No. Since the Court declared the Privacy Shield invalid we will not be able to carry out international data transfers within this legal framework.

Si te ha interesado este artículo no dudes en leer:

What are SCCs or standard contract clauses?

The Standard Contractual Clauses (SCCs) on data protection allow international data transfers. Their use is established by Article 46 of the GDPR.

What should I do if I am a Data Processor Controller?

The fact that the Privacy Shield has been invalidated does not mean that we can no longer perform international data transfers. However, we can only do so if adequate guarantees are provided. And as long as the data subjects have enforceable rights and enforceable legal actions.

What are these adequate guarantees? Alternative solutions to the invalidated Privacy Shield

First of all, is this international data transfer really necessary? If the answer is yes, we will have to review each of them individually.

Was this transfer supported by the Privacy Shield? If the answer is yes, we must find an alternative to this already invalidated mechanism.

In the absence of decisions on adequacy, there are other mechanisms for international data transfer. In other words, these transfers should be covered by:

• Binding corporate rules between the parent company and its subsidiaries, depending on the result of its assessment.
• Standard data protection clauses, evaluated on a case-by-case basis.
• Code of conduct and binding and enforceable commitments of the data controller in the third country to apply appropriate guarantees.
• An authorization to the AEPD. (Agencia Española de Protección de Datos)

And in the absence of these adequate guarantees, international data transfers may be carried out if any of these conditions are fulfilled:

• The person concerned has explicitly given his or her consent to the transfer. Before that, he or she must have been informed of the risks involved in the transfer.
• The transfer is necessary:
  • For the execution of a contract between the interested party and the person responsible for the processing. For the execution of pre-contractual measures taken at the request of the data subject,
  • The conclusion or execution of a contract in the interest of the concerned party. We are talking about a contract between the person responsible for the processing and another natural or legal person.
  • For important reasons of public interest or for the formulation, exercise or defense of complaints.
  • Or, to protect vital interests of the data subject or other persons when he/she is unable to give his/her consent.
• Or if the transfer is made from a public registry that provides information to the public.

If the transfer does not offer an adequate level of protection, the data controller will have to suspend or terminate the transfer.

If this article has been of interest, we also suggest you to read the following article published on our website: Sanctions of the Data Protection Regulation