The EDPB adopted a final version of the Recommendations on supplementary measures following public consultation.
After the CJEU Schrems II ruling, they aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
Among the main modifications are:
- the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge - in practice - on the effectiveness of the Art. 46 GDPR transfer tool;
- the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats;
- and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.