Today's economy thrives on the free flow of personal information. The GDPR significantly restricts the ability of companies to export personal information outside the European Union (EU). On July 16, 2020, only two years after the GDPR became effective, the European Court of Justice (ECJ) issued a ground-breaking judgement in Schrems II, declaring the EU-US Privacy Shield invalid. In addition, the Schrems II ruling also specifies requirements that companies must meet when using the Standard Contractual Clauses (SCCs) for data exports. The ruling has far reaching consequences for companies doing business in the EU, both in the B2C and B2B context.

The Wilson Sonsini Privacy and Cyber Security team is organizing a series of webinars to address data transfer issues, given the business impact and legal uncertainty resulting from the Schrems II ruling. The series offers practical tips and insights on how to address data transfers restrictions and provides the latest developments in this fast-moving area.

The fourth session will discuss the supplemental measures that companies may consider adopting to secure the continued export and import of personal data in compliance with the Schrems II ruling.  We will assess the guidance of the EDPB on the matter and provide examples through practical use-cases.

Items that will be covered include:

• When should supplemental measures be considered;
• What are the measures that have been identified by the EDPB;
• Practical use cases;
• What companies are doing in practice and which measures are most frequently relied upon.