Schrems II – In this case, the European Court of Justice is invited to consider the validity of the standard contractual clauses (CCS) approved by the European Commission. Given that hundreds of thousands of companies rely on these CCSs to transmit their data internationally, the decision will be even more effective in this regard. Today, the Advocate General gave his opinion. Although the Court is not bound by this Council and will make its own decision, the AG`s comments are generally considered to be decisive. Most US companies that receive European personal data are aware that the RGPD prohibits the transfer of personal data from the EEA to “third countries” that do not benefit from an “adequacy decision” from the Commission (currently only 12 countries have one), unless you can make a limited transfer if you and the recipient have entered into a contract with standard data protection clauses , which were adopted by the Commission. Exception 1. Did the person give explicit consent to the restricted transfer? You should move on to the next section Is the transmission covered by appropriate security measures? Data transmission agreements (whether they are processor controllers, subprocessor processors or another combination of parts) are not new, but with the advent of the RGPD, they get an upgrade and require much greater scrutiny and detail. The details of what is considered a “vital interest” in the RGPD can be found in the vital interests section as a condition for the processing of data in specific categories. The clauses contain contractual obligations to the data exporter and importer of data, as well as rights for persons whose personal data is transferred. Individuals can apply these rights directly to the data importer and the data exporter. You make a limited transfer when you collect information on people on paper that are neither ordered nor structured and send it to a service company outside the EEA: this does not apply to registers held by private companies, such as credit reference databases.B.
You should consider (especially if you are a controller) direct and indirect transfers (redirects) for both current and future transfers.