Following a recent decision of the Court of Justice of the European Union (ECJ) in Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrem (known as Schrem II), the European Data Protection Board has published Frequently Asked Questions on this decision. In Schrem II, ECJ examined, among other things, the validity of the so-called Standard Contractual Clauses (“SCCs”) as a safe harbor for the transfers of personal data from the EU to the United States under the EU General Data Protection Regulation (“GDPR”). The decision clarifies that, while an EU controller of personal data (i.e., a person who determines the purpose and means of processing personal data) may rely on SCCs, the controller has an affirmative obligation to conduct an assessment prior to the transfer of data based on the SCCs and determine whether appropriate safeguards (including adequate protection under domestic law) can be ensured by the recipient of the data outside the EU. If the conclusion is that appropriate safeguards cannot be ensured, the EU controller must suspend or end the transfers of personal data.
The FAQs will be of interest to managers with U.K. or EU offices, or managers that receive personal data relating to U.K./EU individuals in the context of investments in European assets (e.g., consumer loan portfolios or private equity investments in U.K./EU companies).
This article appeared in the August 2020 edition of SRZ’s Private Funds Regulatory Update. To read the full Update, click here.
 See European Data Protection Board publishes FAQ document on CJEU judgment C-311/18 (Schrems II), available here.