The European Court of Justice (ECJ) ruling on the "Schrems II" case, brought about by privacy advocate Max Schrems, resulted in the end of the Privacy Shield. We address key questions, without making any claim to completeness or conclusive answers. This whitepaper focuses on the expected practical implications, as well as practical measures for mitigating possible risks.
- Examination of possible restrictions/terminations of the third country transfer (particularly to the U.S.)
- Switch from Privacy Shield to Standard Contractual Clauses
- Implementation of additional technical measures prior to third country transfers (particularly to the U.S.)
- Directives and requirements for all data importers (particularly processors)
- Directives and requirements specifically for processors and sub-processors
- Use of additional contractual clauses for processing contracts and SCC (Standard Contractual Clauses)
- Use of the derogation rules in Art. 49 GDPR
- Consideration of alternative providers
- Examination and adaptation of Binding Corporate Rules (BCRs)
- Examination and adaptation of the privacy policies (particularly on websites and apps)
- Updating the records of processing activities