On the 11^th of November, the European Data Protection Board (‘EDPB’) issued its recommendations on the types of supplementary measures that organisations can adopt to ensure that their international data transfers are compliant with the GDPR. The recommendations, adopted by the EDPB, will now be submitted for public consultation.

In our data privacy summer series of webinars (recordings of which can be found here), we discussed the implications of the recent Schrems II decision, including the requirement for supplementary measures to protect certain international data transfers, and have been awaiting this guidance on what form these measures could take from the EDPB since that decision.

The good news for organisations is that Annex 2 of the recommendations sets out a number of helpful international data transfer use cases, accompanied by a recommended supplementary measure that could be employed by an organisation in order to ensure an essentially equivalent level of protection to that guaranteed under the GDPR. However, it also gives example use cases where no form of supplementary measure could ensure an essentially equivalent level of protection and notes that in these cases, transfers of personal data would not be permitted.

Any organisation making transfers of personal data outside the EEA to a country that does not benefit from an adequacy decision from the European Commission should review this guidance and assess the implications for its current and future data flows.

If you would like help with this exercise, or in understanding the implications of the recommendations or the Schrems II decision, our data privacy team would be delighted to assist you.

David Goodbrand

Partner

Commercial Contracts

David specialises in advising clients on outsourcing arrangements, IP licensing, complex commercial contracts, fintech and the use of information.

Get in touch

Written by

Related News, Insights & Events

Risk horizon scan: 2025

January is the optimal time for businesses to review risk registers against management plans and goals for the next 12 months.

Cyber security – looking back on 2024 and what businesses can expect in 2025

2024 was another year in which UK businesses battled to combat cyber security threats, which continue to impact organisations of all sizes across all sectors.

Risk in commercial shipping – The Supreme Court clarifies the scope of Hague Visby Rules for claims for misdelivery of cargo

A Supreme Court decision has shed light on the scope of protection for carriers under a key international convention, highlighting the need for thorough risk assessment in the contracting process.

Want to hear more from us?

Subscribe here

Advice for the way we live our lives.

Burness Paull is known globally as the go-to Scottish law firm.

Guide: Doing Business in the UK

Legal insights

Changes to the EUSS scheme – The UK moves to automated settled status

Events

An introduction to diversity, equity and inclusion in the workplace

Topics

Welcome to Burness Paull.

Human and high-performing

Delivering real change for our clients, people and communities

Responsible business lies at the heart of our decision-making.

Firm news

Burness Paull advises on sale of former Virgin Hotel in Glasgow.

We believe you’re not a tiny cog in a giant machine.

Vacancies

Looking for a workplace that will value your curiosity, passion, and desire to grow?

Don't settle for standard, help us set new ones.

Knowledge & Development Lawyer | Funds

How can we help you today?

International data transfers. How can you ensure GDPR compliance?