Following the publication of the Court Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), various European data protection authorities have issed statements in response to the judgment.

Belgium

The Belgian Data Protection Authority ('Belgian DPA') published, on 31 August 2020, its statement on the Schrems II Case, noting that it has consequences for data controllers and processors who transfer personal data to third countries.

You can read the press release in Dutch here and in French here.

Croatia

The Personal Data Protection Agency ('AZOP') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Croatian, here.

Cyprus

The Office of the Commissioner for Personal Data Protection ('the Commissioner') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Greek, here. 

Czech Republic

The Office for Personal Data Protection ('UOOU') issued, on 16 July 2020, its statement on the Schrems II Case.

You can read the Statement, only available in Czech, here.

Denmark

The Danish data protection authority ('Datatilsynet') issued, on 17 July 2020, a statement on the Schrems II Case, outlining that it will work with the European Data Protection Board ('EDPB'), together with other EU data protection authorities, in order to carry out a detailed analysis of the judgment and its implications for the transfer of personal data to third countries and international organisations.

You can read the press release, only available in Danish, here.

EDPB

The European Data Protection Board ('EDPB') issued, on 17 July 2020, a statement on the Schrems II Case, welcoming the CJEU's judgment and highlighting the need to conduct adequacy assessments prior to transferring data under the SCC mechanism. 

You can read the full story here.

EDPS

The European Data Protection Supervisor ('EDPS') issued, on 17 July 2020, a statement on the Schrems II Case, welcoming the CJEU's judgment and calling for federal US privacy reform.

You can read the full story here. 

Estonia

The Data Protection Inspectorate ('DPI') issued, on 17 July 2020, a statement on the Schrems II Case in which it highlighted that an adequacy assessment must be carried out when transferring data under SCCs, and published guidance in relation to the same.

You can read the full story here. 

European Parliament

The European Parliament published, on 15 September 2020, an informative paper on the Schrems II Case which summarises, among other things, first reactions from EU data protection authorities and the impact of the judgment on international relations, especially for third countries.

You can read the full story here.

Finland

The Office of the Data Protection Ombudsman issued, on 16 July 2020, a statement on the Schrems II Case, noting that the EDPB will assess the implications of the ruling at its plenary session on 17 July 2020, and will release more information on the effects of the ruling in the near future.

You can read the press release, only available in Finnish, here. 

France

The French data protection authority ('CNIL') issued, on 17 July 2020, a statement in which it stated that it will carry out and in-depth analysis of the Schrems II Case and assess impact for EU-US data transfers. 

You can read the full story here.

Germany: Baden-Württemburg

The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 24 August 2020, its orientation guide on international data transfers in light of the Schrems II Case, including, among other things, a checklist for compliant data transfers and recommendations for data controllers to contact data recipients in regards to changes to SCCs.

You can read the full story here.

Germany: Berlin

The Berlin data protection authority ('Berlin Commissioner') issued, on 17 July 2020, a statement in which it, among other things, asked controllers to stop data transfers to the US.

You can read the full story here. 

Germany: Federal

The Federal Commissioner for Data Protection and Freedom of Information ('BfDI') issued, on 16 July 2020, a statement in which it highlighted that there will be an onus on supervisory authorities and companies following the Schrems II Case.

You can read the full story here.

The German Data Protection Conference ('DSK') issued, on 28 July 2020, a statement including a first assessment on the impact the Schrems II Case has on data transfers to the US and other third countries.

You can read the full story here. 

Germany: Hamburg

The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI') issued, on 16 July 2020, a statement in which it highlighted inconsistencies with regard to Standard Contractual Clauses ('SCCs') and the expanding role of supervisory authorities with regard to international data transfers. 

You can read the full story here.

Germany: Rhineland-Palatinate

The Rhineland-Palatinate data protection authority ('LfDI Rheinland-Pfalz') issued, on 16 July 2020, a statement and frequently asked questions in which it emphasised the work needed for organisations to reassess data transfer practices in light of the Schrems II Case, and stressed organisations' audit obligations.

You can read the full story here.

Germany: Thuringia

The Thuringia State Commissioner for Data Protection and Freedom of Information ('TLfDI') issued, on 16 July 2020, a statement in which it expressed, among other things, concerns about the impact of the Schrems II Case on SCCs. 

You can read the full story here. 

Greece

The Hellenic Data Protection Authority ('HDPA') issued, on 30 September 2020, a statement on the Schrems II Case, highlighting that, before relying on Standard Contractual Clauses ('SCCs'), data exporters must assess whether the data will be adequately protected in the recipient country bearing in mind the specific circumstances of the transfer and the supplementary measures taken by the data exporter.

You can download the statement, only available in Greek, here. 

Iceland

The Icelandic data protection authority ('Persónuvernd') issued, on 16 July 2020, a statement on the Schrems II Case, highlighting that the EDPB will discuss the judgment during its meeting on 17 July 2020, and that Persónuvernd will release further guidance in the coming days.

You can read the press release, only available in Icelandic, here.

International

The Council of Europe's Chair and the Data Protection Commissioner ('DPC'), Alessandra Pierucci and Jean-Philippe Walter respectively, issued, on 7 September 2020, a joint statement on the Schrems II Case in which it highlights that being party to Convention 108+ could in the future also facilitate assessments in relation to SCCs.

You can read the full story here.

Ireland

The Data Protection Commission ('DPC') issued, on 16 July 2020, a statement in which, among other things, it questioned the future validity of SCCs.

You can read the full story here.

Italy

The Italian data protection authority ('Garante') issued, on 29 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Italian, here.

Jersey

The Jersey Office of the Information Commissioner ('JOIC') published, on 19 August 2020, a blog post from David Smith, member of the JOIC, on the Schrems II Case in which it notes, among other things, the position of businesses relying upon SCCs for international data transfers and highlights that the judgment does not specify the additional safeguards data exporters can implement.

You can read the full story here.

Latvia

The Data State Inspectorate ('DVI') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Latvian, here.

Liechtenstein

The Liechtensteiner data protection authority ('DSS') issued, on 17 July 2020, a statement in which it highlighted that, until a new agreement with the US on data transfers is agreed, organisations will have to rely upon appropriate safeguards under Article 46 of the GDPR, and in particular upon SCCs, and updated its guidance on international data transfers in light of the same.

You can read the full story here. 

Luxembourg

The National Commission for Data Protection ('CNPD') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in French, here.

Norway

The Norwegian data protection authority ('Datatilsynet') issued, on 16 July 2020, a statement in which it noted, among other things, that any companies currently using the EU-US Privacy Shield framework must consider other bases for transferring data to the US, and that it will collaborate with other supervisory authorities in the EEA in order to provide further guidance to assist companies' compliance with the decision.

You can read the full story here.

Datatilsynet published, on 27 July 2020, Questions & Answers on the Schrems II Case.

You can read the full story here.

Romania

The National Supervisory Authority for Personal Data Processing ('ANSPDCP') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Romanian, here.

Serbia

The Commissioner for Information of Public Importance and Personal Data Protection ('Poverenik') issued, on 11 August 2020, a statement on the Schrems II Case and highlighted that it had sent a letter to the Government of Serbia to harmonise thethe Law on Protection of Personal Data 2018 with the Schrems II case and European practice.

You can read the full story here.

Slovenia

The Information Commissioner issued, on 16 July 2020, a statement in which it highlighted, among other things, that organisations that export data to the US and have so far relied on the recipient company to be included in the EU-US Privacy Shield List, they must ensure that transfers are justified on another basis as soon as possible (e.g. SCCs, Binding Corporate Rules ('BCRs'), and exceptions), otherwise personal data may not be transmitted in the US.

You can read the full story here.

Slovakia

The Office for Personal Data Protection of the Slovak Republic ('ÚOOÚ') issued, on 16 July 2020, its statement on the Schrems II Case.

You can read the Statement, only available in Slovak, here.

Spain

The Spanish data protection authority ('AEPD') issued, on 22 July 2020, its statement on the Schrems II Case, calling for a common European approach to international data transfer regulation going forward. 

You can read the full story here. 

Switzerland

The Federal Data Protection and Information Commissioner ('FDPIC') issued, on 16 July 2020, a statement in which, among other things, it stated that the Schrems II Case is not directly applicable to Switzerland.

You can read the full story here.

UK

The Information Commissioner's Office ('ICO') issued, on 16 July 2020, a statement in which it announced its intentions to support UK organisations following the Schrems II Case, as well as work with government and international agencies to ensure the continuation of international data transfers.

You can read the full story here.