Constantine Karbaliotis and Abigail Dubiniecki write on the topic of what Canadian companies should do after Schrems II:

  • If you are processing data as controller, or as a processor for a client with European Union personal data, and relying on onward transfers, first do a risk assessment; and then assuming the risks are addressable, put in place Standard Contractual Clauses (SCCs) between yourself and any organization doing processing for you, if in a non-adequate country.
  • If you are relying on adequacy for transfers from the EU to Canada, be sure you are correct in doing so; and if you cannot rely on adequacy, again, conduct a risk assessment and document the transfer with an SCC.

Read the full text of the article.