Strategy for EU institutions to comply with “Schrems II” Ruling
The European Data Protection Supervisor (EDPS) issued today a strategic document aiming to monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the “Schrems II” Judgement in relation to transfers of personal data to third countries, and in particular, the United States. The goal is that ongoing and future international transfers are carried out in accordance with EU data protection law.
Wojciech Wiewiórowski, EDPS, said: “Transfers of personal data by EUIs to third countries should comply with the EU Charter of Fundamental Rights, as well as applicable EU data protection legislation, specifically Chapter V of Regulation (EU) 2018/1725. To this end, the Strategy builds on the cooperation and accountability of controllers to assess whether the essentially equivalent standard of protection, based on the Court’s ruling, is guaranteed when transfers of personal data are made towards third countries. Furthermore, the EDPS will continue to closely cooperate with other Data Protection Authorities (DPAs) within the European Data Protection Board (EDPB) so that individuals’ personal data is consistently protected throughout the EU/EEA, when data transfers to third countries occur”.
The Judgement has far-reaching consequences on all legal tools used to transfer personal data from the EEA to any third country, including transfers between public authorities. While the strategy aims to bring all transfers into compliance with the Judgement in the medium term, the EDPS has identified two priorities to address in the short-term: ongoing controller to processor contracts and/or processor to sub-processor contracts involving transfers of data to third countries, with a particular emphasis on those carried out to the United States.
It is in this context that the EDPS has developed an action plan to streamline compliance and enforcement measures, distinguishing between short-term and medium-term compliance actions.
As the Strategy continues to be implemented, the EDPS strongly encourages EUIs to avoid transfers of personal data towards the United States for new processing operations or new contracts with service providers.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, offices and agencies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". See the glossary on the EDPS website.
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.