This graph shows how the Schrems II ruling impacted the GDPR cross-border personal data transfers. It's the best way it is explained over the whole Internet! Also see here: https://cawemo.com/share/ec441c8e-e454-4ea0-a74a-05fc5d14eaf5
It's not true that the Schrems II ruling changed anything in the GDPR. As you will see on the graph, the European Court of Justice just reminded everyone (especially law firms who like to sell interpretations convenient to clients but non-compliant with law) how the GDPR provisions look like.
Since this legal matter is very complicated the graph is pretty large, so must download it to read all the details. But it's worth it!
Also see: https://www.slideshare.net/joanna_kornas/graph-gdpr-crossborder-transfers-of-personal-data
GRAPH: Schrems II GDPR cross-border transfers of personal data
1. Disclaimer:
This is not for playing.
This is for educational and sharing-knowledge
purposes only.
This is my interpretation of the GDPR.
Not for commercial use.
To be used only upon citing the source.
All rights copyrighted, reserved and conserved.
Choking hazard: very high.
Created by Joanna Kornas
20.08.2020, version 1.0
GDPR: after Schrems II
published on:
https://cawemo.com/share/ec441c8e-e454-4ea0-a74a-05fc5d14eaf5
Chapter V of
the GDPR
applies
Is the transfer
imposed by the
third country
court/ tribunal
etc.?
Is there EC
adequacy
decision?
Is there an
international
agreement with
regard to the
transfer?
Transfer
forbidden
Transfer allowed
Is there EU or
national law
limiting the
transfer?
Check the
restrictions
Enforceable
rights &
effective legal
remedies
available?
Apply the
restrictions
Transfer
forbidden
Transfer allowed
only within the
limited scope
Check
appropriate
safeguards:
Art. 46 par. 2:
Art. 49 par. 1
subpara 2:
a) legal
instrument
between public
authorities or
bodies
b) binding
corporate rules
c) EC's standard
data protection
clauses
d) national
standard data
protection
clauses
approved by EC
e) approved
code of conduct
f) approved
certification
mechanism
Do you use at
least 1 of these
appropriate
safeguards?
No national
GDPR authority
specific
authorisation
required
Do you use any
other
appropriate
safeguards?
Transfer allowed
National GDPR
authority
specific
authorisation
required
Is specific
authorisation
obtained and
still valid?
Transfer allowed
Check the
conditions from
Art. 49 par. 1
subpara 1:
(a)
(b)
(c)
(d)
(e)
(f)
(g)
Are you a public
authority
exercising its
power?
No points (a)-(c)
applicable
Points (a)-(g)
applicable
the data subject
informed of risks
of the transfer
the data subject
explicitly
consented to the
proposed
transfer
contract
between the
data subject &
the controller
concluded
pre-contractual
stage
transfer
necessary for
the performance
of the contract
data subject
request
pre-contractual
measures must
be implemented
(transfer
necessary)
the controller &
third party
contract in the
interest of the
data subject
the transfer is
necessary for
important
reasons of the
public interest
public interest
in the EU or
controller
Member State
law
transfer
necessary for
the conclusion
of the contract
transfer
necessary for
the performance
of the contract
the
establishment,
exercise or
defence of legal
claims
the transfer is
necessary for
this purpose
the data subject
physically or
legally incapable
of giving
consent
protection of the
vital interests
of the data
subject or
other persons
the transfer is
necessary for
this purpose
a register
contains the
personal data
the transfer
made from the
register
the transfer
made only within
the legal access
rules
the register
intended to
provide
information to
the public
no transfer of all
the data from
the register
no transfer of
entire category
of data from the
register
the register
open to public in
general
the register
open to any
person with a
legitimate
interest
transfer at the
request of such
a person
transfer if such
a person is the
recipient of the
personal data
the EU or
Member State
law provides the
access rules to
the register
Do you meet at
least one of the
requirements
set out in points
(a)-(g)?
transfer allowed
(only within the
met
requirements)
Is the transfer
of personal data
repetitive?
Does the
transfer concern
only a limited
number of data
subjects?
Transfer
forbidden
Is the transfer
necessary for
the controller's
compelling
legitimate
interest?
Transfer
forbidden
is the interest
overridden by
the data
subject's
interests, rights
or freedoms?
Transfer
forbidden
Transfer
forbidden
Controller:
compulsory
transfer
assessment
Are suitable
safeguards
provided on the
basis of the
assessment?
Assessments
and safeguards:
to be put in the
Art.30 records
Transfer
forbidden
National GDPR
supervision
authority to be
informed of the
transfer
Separate
information to
the data subject
of the transfer
Transfer allowed
red
orange
green
I want to transfer personal
data outside the EEA!*
*third country or
international organisation
YES
NO
See: Art. 48
NO
YES
YES
NO
See: Art. 48
YES
NO
YES
NO
YES
NO
YES YES
NO
NO
YES
NO
which
requirements
are met?
all the following
conditions must be met
all the following conditions
must be met
all the following conditions
must be met
all the following conditions
must be met
all the following
conditions must be met
YES
NO
YES
NO
YES
NO
YES
NO
YES
NO
YES
NO
See: Art. 49 par. 5
See: Art. 46 par. 3
See: Art. 49 par. 3
Only after having been
informed!
all the following
conditions must be met
See also: Art. 49 par. 2
See: Art. 49 par. 6
Sorry, there's none. The European
Court of Justice (ECJ) ruled that the
EC's Privacy Shield adequacy decision
is invalid
Of course, the ECJ hasn't ruled that the US does not
provide enforceable data subject rights and effective
legal remedies for data subjects. But this is the
exact reason why the ECJ ruled that the EC's
Privacy Shield adequacy decision is invalid.
So, would you dare to claim that the US ensures
enforceable data subject rights and effective legal
remedies for data subjects?
As for now, the use of this path is highly doubtful.
Maybe the answer to this question could be "yes"
with regard to some kind of non-sensitive personal
data?
See: sec. 178, 181, 182, 184, 190, 195 of the
Schrems II judgement
It is important to understand
that the the Standard Contractual
Clauses adopted by the
European Commission are still
valid and may be used as
voluntarily, additional safeguards.
However, application of the SCC
itself is not sufficient to transfer
the personal data to the US
Here: it is possible that
Standard Contractual
Clauses may be deemed
suitable safeguards
Schrems II erased this path with regard
to the US
Schrems II made the use of this path highly
doubtful with regard to the US
Well, this path is still allowed with regard to
the US