International (Personal) Data Transfers

Posted on 01.07.2021

Several events happened in this area over the past weeks:

• On 4 June 2021, the Commission issued modernised standard contractual clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modernised SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46.
• On 21 June 2021, the European Data Protection Board (EDPB) adopted the final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
• On 28 June 2021, the European Commission adopted the long-awaited UK adequacy decision. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.

MedTech Europe, and in particular, the Data Protection Committee, is following very closely the topic of international data transfers. As part of its activities on the subject, MedTech Europe has contributed to the consultation organised by the European Commission last December (on the SCCs) and to the one on the Recommendations organised by the EDPB.

For more information, please contact Caterina Marcon, Officer Legal & Compliance.