Videoconference with AmCham Romania’s representatives
On the 26th of November 2020, following the request of the Romanian-American Chamber of Commerce (AmCham Romania), the representatives of the supervisory authority and those of AmCham discussed in a videoconference aspects on how to apply the provisions of the General Data Protection Regulation (GDPR) regarding the transfer of personal data to countries outside the EU, following the decision of the Court of Justice of EU in Schrems II Case (C-311/18).
In that judgment, the CJEU ruled on the interpretation and validity of two decisions of the European Commission as follows:
- ”Standard Clauses Decision” (Commission Decision 2010/87/EU, as amended by Commission Decision 2016/2297/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC; the assessment of this decision did not reveal any element likely to affect its validity.
- “Privacy Shield Decision” (Commission Decision 2016/1250/EU on the adequacy of the protection provided by the EU-U.S. Privacy Shield); In the case of this decision, the Court’s assessment showed that it was invalid.
Thus, during the discussions, the representatives of the supervisory authority highlighted that, as it is clear from the CJEU’s judgement, the Court affirms the validity of the standard contractual clauses as a tool for the transfer of personal data to third countries and rules that from paragraph (2) letter c) of Article 46 from Regulation (EU) 2016/679 it follows that the appropriate safeguards, enforceable rights and effective remedies provided for in those provisions must ensure that the rights of persons whose personal data are transferred to third country pursuant to standard contractual clauses enjoy a level of protection essentially equivalent to that guaranteed in the EU Regulation.
In light of the CJEU decision mentioned above, during the discussions held, the representatives of the supervisory authority stressed out that, in the context of the CJEU judgement in Schrems II, for a uniform approach of the data transfers to third countries, including USA, the European Data Protection Board drafted some recommendations on the measures that supplement the transfer instruments in order to ensure compliance with the EU level of protection. These recommendations, launched in public consultation can be found here: https://www.dataprotection.ro/?page=Plenara_nr_._41_a_EDPB&lang=ro.
Thus, it was pointed out by the representatives of the supervisory authority that, through the recommendations, the Board aims to provide the controllers and their processors, as data exporters, in the context of data transfers to third countries, including USA, a number of “steps to be followed”, potential sources of information and examples of supplementary measures that could be put into practice within the complex task of assessing and identifying such measures.”
Legal and Communication Department
ANSPDCP