A decision issued on 15 March 2021 by the Bavarian Data Protection Authority (“BayLDA“, publication pending) is the first German enforcement action in connection with last year’s decision of the Court of Justice of the European Union (“CJEU“, “CJEU’s Decision“) on the validity of the European Commission’s Standard Contractual Clauses (“SCCs“) and the EU-US Privacy Shield (C-311/18, more information available in our client alert). In the CJEU Decision, the court held that a transfer of personal data from the EU to third countries outside the European Economic Area (“EEA“) under the EU Standard Contractual Clauses will be permissible under the General Data Protection Regulation (“GDPR“) only if the level of protection of the transferred data is adequate. When assessing whether the level of protection is adequate, companies have to take into account the wording of the SCCs and the legal system of the third country where the recipient of the personal data is located, in particular, with regards to access to the transferred data by public authorities in the third country. Depending on the outcome of this assessment, the data exporter and the data importer may be required to implement adequate supplementary measures in order to safeguard the transferred data.
