Rhineland-Palatinate: LfDI Rheinland-Pfalz stresses audit obligations and SCC limitations in Schrems II FAQs
The Rhineland-Palatinate data protection authority ('LfDI Rheinland-Pfalz') issued, on 16 July 2020, its statement ('the Statement') and frequently asked questions ('FAQs') on the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II case'). In particular, the LfDI Rheinland-Pfalz noted that the CJEU invalidated the EU-US Privacy Shield as the legal basis for personal data transfers to the US.
Furthermore, the LfDI Rheinland-Pfalz noted that the CJEU confirmed the validity of Standard Contractual Clauses ('SCCs') for data transfers to third countries, but that the CJEU has made it clear that companies cannot free themselves from their audit obligations by using SCCs, as companies cannot avoid dealing intensively with the national laws of the third country to which they want to transmit data. In addition, if the data recipients are subject to the legal rules of their home country that violate European data protection law, they may not be able to comply with the SCC's contractual provisions.
Additionally, the LfDI Rheinland-Pfalz stated in the FAQs that, as of 16 July 2020, data transfers based on the Privacy Shield are illegal and that data controllers must immediately switch to other transfer instruments in Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and that there is no transition period for compliance as the GDPR does not provide for a waiting period by the supervisory authorities. Specifically, if no other transfer instruments are available and there is no exception under Article 49 of the GDPR, the data controller must suspend the data transfer.
Moreover, the LfDI Rheinland-Pfalz stipulated in the FAQs that SCC contracts do not have to be changed, but the CJEU has made it clear that data controllers who use SCCs have to fulfill their obligations. Additionally, if the processor in the third country is subject to laws that make it impossible for them to follow the instructions of the data exporter and to comply with their contractual obligations, the data exporting controller in the EU has the contractually justified right to suspend the data transfer and/or to withdraw from the contract in order not to violate the provisions of the GDPR.
Finally, the LfDI Rheinland-Pfalz outlined in the FAQs that supervisory authorities are still examining whether the CJEU judgment will impact other instruments for data transfers listed in Chapter V of the GDPR, such as Binding Corporate Rules ('BCRs').