EDPB consultation on supplementary measures: EBF response

07 January 2021

The European Banking Federation (EBF) welcomes the opportunity to respond to the European Data Protection Board’s (EDPB) consultation on its Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

While we welcome the EDPB’s work to help resolve the uncertainty which has followed the CJEU Schrems II judgement and particularly the use of standard contractual clauses by data exporters, we are concerned on the substantial burden placed on the data controller to assess the adequacy of the level of protection afforded to personal data from the EU of the jurisdiction to which it is being transferred. This creates an immediate risk of fragmentation from differing assessments by companies and subsequently, to different actions from DPAs. Practical tools, which provide a uniform starting base for data exporters and help them conduct these assessments, are needed. We also note the lack of a proportionate and risk based approach in the Recommendations, which seem to be based on the assumption that the level of risk to data subjects depends solely on the law in the recipient country, and not at all on other factors.

The Recommendations should incorporate proportionate and risk based approach to transfers, which takes into account, for example, the type of data (normal/sensitive data), the risk for the data subject, the, level of security of data transferred and the likelihood of inappropriate interception by local authorities. A meaningful grace period is vital to allow for a sufficient period of time to elapse to enable businesses to implement the relevant procedures and measures.

EBF response


EBF


© EBF