Invalidation of the "Privacy shield": the first answers of the EDPB to the frequently asked questions

31 July 2020

Following the judgment of the Court of Justice of the European Union invalidating the Privacy Shield ("Schrems II" case), the EDPB answers some frequently asked questions, in a document that will be developed and complemented along with further analysis.

What did the Court rule in its judgment?


Does the Court’s judgment have implications on transfer tools other than the Privacy Shield?


Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer?


I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do now?


I am using SCCs with a data importer in the U.S., what should I do?


I am using Binding Corporate Rules (“BCRs”) with an entity in the U.S., what should I do?


What about other transfer tools under Article 46 GDPR?


Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.?


Can I continue to use SCCs or BCRs to transfer data to another third country than the U.S.?


What kind of supplementary measures can I introduce if I am using SCCs or BCRs to transfer data to third countries?


I am using a processor that processes data for which I am responsible as controller, how can I know if this processor transfers data to the U.S. or to another third country?


What can I do to keep using the services of my processor if the contract signed in accordance with Article 28.3 GDPR indicates that data may be transferred to the U.S. or to another third country?


Document reference

Keywords associated to this article