Abstract

The current regulatory landscape is not friendly to the entities participating in data transfers. Schrems II has changed the approach to legalizing transfers of personal data to third countries. Transfer Impact Assessment was first specified in the Schrems II judgment, and later confirmed and developed in the EDPB Recommendations 01/2020 and confirmed in Clause 14 of the new SCC. When carrying out a TIA it is necessary to identify the participants in the data transfer, the transfer tool, the context of the transferred data, the type of the data recipient or the type of the data transferred, and in particular the legal regulations and practice of the third country. The conclusions drawn from the Schrems II judgment indicate that the transfer of personal data to the US solely on the basis of the SCC does not ensure compliance with the EU level of personal data protection. It is technical security measures and the appropriate configuration of security measures offered by service providers that are in practice most important and effective in carrying out a TIA.