CEDPO’s current state of play and international transfers

Oct 15, 2021

During AFCDP’s General Assembly 2021, Pascale Gelly, Vice-President of AFCDP and Cecilia Álvarez Rigaudias, in charge of the international affairs of APEP had the opportunity to talk about CEDPO’s main mission and related recent activities in order to promote the vision of the DPO to achieve reasonable, practicable, balanced and effective data protection throughout the European Union.

Although the DPO continues to be in the center of CEDPO’s mission, other topics in the GDPR have become increasingly important for Controllers and Processors which need to be addressed to the political sphere with one voice. CEDPO therefore will extend its activities in Europe and in Brussels being the pacemaker of European policy by establishing a new organizational framework. As a first step, CEDPO will be established as an International Non-Profit Association according to Belgian Law. Further steps will follow in order to support CEDPO’s mission.

In connection with recent GDPR topics heavily affecting Controllers and Processors, Pascale and Cecilia made reference to the EDPB recommendations which refer to the “additional supplementary” measures that were mentioned but not defined in the ECJ ruling of July 2020, as needed when transferring personal data to third countries which do not offer a level of data protection being essentially equivalent to European standards.  Both stressed that under these recommendations, data exporters are expected to take several steps for exporting personal data, including an assessment of the legal framework in the destination country based on objective factors, including practical experience. According to the revised version of the EDPB recommendations, experiences of data importers should not be the only criteria with respect to evaluating an adequate level of data protection but are relevant as well and must be supported by appropriate evidence. Such assessment still could be seen as a huge challenge for data exporters, especially in case of small and medium size enterprises.

The recently updated Standard Data Protection Clauses for International Data Transfers now represent an important tool for cross-border transfers including standardized rules for Data Processors. Although these Clauses are expected to be in general ‘self-sufficient’, as it happened with the former Clauses, obligations for data exporters and data importers arise from the Clauses which need to be complied with. Such obligations include to conduct an analysis of third country legislation and related access of public authorities in third countries (‘Transfer Impact Assessment’). The Standard Contractual Clauses are therefore to be seen as one pillar of future cross-border transfers in combination, if necessary, with supplementary measures.

It remains to be seen how data exporters cope with the EDPB recommendations for cross-border transfers, especially since data localization in Europe or full encryption cannot be the only solution.

 

You can access the recording of the presentation here.