EDPS issues strategy for EU institutions' compliance with Schrems II case


On 29 October 2020, the European Data Protection Supervisor (“EDPS”) issued a strategic document aiming to monitor compliance of European institutions, bodies, offices, and agencies with the CJEU Schrems II ruling in relation to transfers of personal data to third countries, including the US.

The EDPS outlined identifying two priorities to address in the short-term: ongoing controller to processor contracts and/or processor to sub-processor contracts involving transfers of data to third countries, with a particular emphasis on those carried out to the US. In this regard, among others, the EDPS strongly encourages avoiding transfers of personal data towards the United States for new processing operations or new contracts with service providers.

Furthermore, as a medium-term compliance action, the strategy notes that the EDPS is going to provide guidance and pursue compliance and/or enforcement actions for transfers towards the US or other third countries on a case-by-case basis.

The press release is available here, and the strategy is available here.