• The Bailiwick of Guernsey’s Office of Data Protection Authority has stated its position on #SchremsII: You must invest resources into ensuring appropriate safeguards are in place.
  • Identify if you have been relying on the EU-U.S. Privacy Shield for data transfers. Check the terms of service, contracts or privacy statements for all third parties you may use to process your data including ubiquitous social networks, mailing providers; event registration providers, collaboration software.
  • If you have been relying on Privacy Shield you must work towards an alternative.
  • If you are relying on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), you must comprehensively review them and ensure they accurately reflect detailed consideration of risks and safeguards.
  • It is clear that relying on “derogations”’ in light of this judgement is no longer a straightforward matter and reliance upon any mechanisms cannot be a paper exercise.
  • While this judgement does not prohibit data transfers outside of the European Economic Area and adequate jurisdictions, you do need to carefully review your position and invest resources into ensuring appropriate safeguards are in place.

EU/US Privacy Shield data transfers invalid