The European Banking Federation (EBF) welcomes the opportunity to respond to the European Data Protection Board’s (EDPB) consultation on its Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
While we welcome the EDPB’s work to help resolve the uncertainty
which has followed the CJEU Schrems II judgement and particularly the
use of standard contractual clauses by data exporters, we are concerned
on the substantial burden placed on the data controller to assess the
adequacy of the level of protection afforded to personal data from the
EU of the jurisdiction to which it is being transferred. This creates an immediate risk of fragmentation from differing assessments by companies and subsequently, to different actions from DPAs. Practical tools, which provide a uniform starting base for data exporters and help them conduct these assessments, are needed. We also note the lack of a proportionate and risk based approach in the Recommendations, which seem to be based
on the assumption that the level of risk to data subjects depends
solely on the law in the recipient country, and not at all on other
factors.
The Recommendations should incorporate proportionate and risk based approach to transfers, which takes into account, for example, the
type of data (normal/sensitive data), the risk for the data subject,
the, level of security of data transferred and the likelihood of
inappropriate interception by local authorities. A meaningful grace period is vital to allow for a sufficient period of time to elapse to enable businesses to implement the relevant procedures and measures.
EBF response
EBF
© EBF
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article