Search
Contact
31.07.2020 | KPMG Law Insights

Data transfer following the ECJ ruling of July 16, 2020 C-311/18 (“Schrems II”).

On July 16, 2020, the ECJ issued a ruling in the Schrems II case that has far-reaching consequences for international data transfers:

  • The EU – U.S. Privacy Shield is ineffective and can no longer be used for data transfer to the U.S.. There is no grace period.
  • While the EU Standard Contractual Clauses (“SCC”) continue to be effective, the contracting parties must examine whether there are legal regulations in the recipient country that restrict compliance with the SCC and whether, if necessary, an adequate level of data protection can be ensured through supplementary regulations. The same applies to already approved Binding Corporate Rules (“BCR”).
  • The supervisory authorities have the right to prohibit data transfers also on the basis of the SCC, insofar as the regulations made with the SCC are not (or cannot be) complied with in individual cases.

The European Data Protection Board “EDPD/EDSA” announces in its FAQs, as of July 23, 2020, that it will provide guidance on the complementary measures for SCC. These could be legal, technical or organizational measures. For the USA, according to the ECJ’s findings, only measures that technically prevent access by the US authorities without a legality check in accordance with the principles of the GDPR or that give the data subjects the opportunity to seek effective legal protection in the USA should be considered.

Following the EDPD/EDSA, the following recommendation currently exists for dealing with data transfers to third countries:

  1. Data transfer to the U.S. on the basis of the EU-U.S. Privacy Shield will not continue. Check whether the data transfer can be switched to another legal basis, e.g. the SCC, or whether there is an exceptional circumstance pursuant to Art. 49 GDPR.
  2. When transferring data to the U.S. and other third countries based on SCCs, data recipients in the third countries must check whether they can comply with SCCs in their country and inform the data exporters in the EU. The same is true for BCR. All data exporters in the EU should therefore immediately write to their data recipients in third countries and ask for appropriate information. No more information needs to be obtained for the USA, as the ECJ ruling already contains all the information.
  3. If the data recipient in the third country declares that it cannot comply with the SCC or does not provide information, both (data exporter and data importer) must check whether the security gap can be closed by supplementary legal, technical or organizational measures and agree on these measures in an amendment agreement to the concluded SCC.
  4. If the data recipient in the third country cannot comply with the SCC, the security gap cannot be closed by supplementary measures and Art. 49 GDPR does not apply, the data must be moved to the EU. If this is not possible, the responsible supervisory authority must be informed.

We are happy to support you, e.g. with the

  • Analysis of your service relationships with data recipients in third countries with regard to any need for adaptation
  • additions to the SCC required as a result
  • Analysis of the legal situation in third countries, as well as for
  • Responding to requests or orders from data protection authorities

We will provide you with further information on the implementation of the ECJ ruling “Schrems II” in third countries, in particular in the USA, in our 2 webinar series, in German together with the experts from KPMG AG Wirtschaftsprüfungsgesellschaft and in English together with our lawyer colleagues from Nelson Mullins Riley & Scarborough LLP in the USA, as well as with our lawyer colleagues from other countries, planned for the end of August 2020.

Explore #more

04.10.2024 | In the media

Guest article in Bauunternehmer on the topic: “Competition is better for climate protection than rigid requirements”

Regulation is one of the main cost drivers in construction.
However, instead of rigid specifications, sustainability targets and climate protection can be better achieved through…

04.10.2024 | Deal Notifications

KPMG Law advises the HWP Handwerkspartner Group on the acquisition of Manfred Teckenburg Elektroanlagen

KPMG Law carried out a comprehensive legal due diligence for the HWP Handwerkspartner Group on the acquisition of Teckenburg Elektroanlagen and supported the purchase agreement…

04.10.2024 | Deal Notifications

KPMG Law and KPMG advise the Forterro Group on the acquisition of alltrotec

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised the Forterro Group on the due diligence, structuring and implementation of the acquisition…

04.10.2024 | Deal Notifications

KPMG Law and KPMG advise HWP Handwerkspartner Group on the acquisition of Elektro Fastabend Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) have jointly advised the HWP Handwerkspartner Group (HWP) on the acquisition of Fastabend Elektro-Gebäudetechnik…

02.10.2024 | Deal Notifications

KPMG Law advises the GOLDBECK Group on the acquisition of a majority stake in the Schalm Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the HWP Handwerkspartner Group on the acquisition of the Schalm Group.
KPMG Law conducted a comprehensive legal due…

27.09.2024 | Deal Notifications

KPMG Law advises Munich Airport on the sale of a majority stake in Cargogate Munich Airport GmbH and the creation of a new cargo joint venture.

KPMG Law advised Flughafen München GmbH (FMG) on the sale of 74.9 percent of the shares in its subsidiary Cargogate Munich Airport GmbH (Cargogate) to…

27.09.2024 | Deal Notifications

KPMG Law and KPMG advise the GOLDBECK Group on the acquisition of Weiser GmbH Brandschutz & Technik

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) jointly advised the GOLDBECK Group on the acquisition of Weiser GmbH Brandschutz & Technik.…

25.09.2024 | In the media

Guest article in Wirtschafts Woche on the topic of data protection: Employers are liable for their works councils

Companies collect and store personal and sometimes sensitive employee data: age, length of service, salary, sick days and much more.
According to European and German…

22.09.2024 | In the media

PMN Awards 2024 – Konstantin von Busekist honored as Managing Partner of the Year

For the 16th time, the PMN Awards shine a spotlight on outstanding law firm innovations and management achievements.
On September 18, the Professional Management Network,…

21.09.2024 | In the media

Guest article in ZURe on the topic of reporting channels under the Whistleblower Protection Act and the Supply Chain Due Diligence Act

The dual obligation to implement reporting channels in accordance with the HinSchG and LkSG poses major personnel and administrative challenges for practitioners, especially in times…

Contact

Dr. Konstantin von Busekist

Managing Partner
Head of Global Compliance Practice
KPMG Law EMA Leader

Tersteegenstraße 19-23
40474 Düsseldorf

tel: +49 211 4155597123
kvonbusekist@kpmg-law.com

Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Lawyer
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20
shoegl@kpmg-law.com

Maik Ringel

Senior Manager

Münzgasse 2
04107 Leipzig

tel: +49 341 22572563
mringel@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll