The European Data Protection Board has said that the new draft standard clauses for:
- contracts between controllers and processors within the EEA; and
- the transfer of personal data to non-EEA countries,
are not quite right. Tweaks are needed.
The new draft clauses for non-EEA transfers remain very important in the Brexit context. While the EU-UK trade deal contains a 'bridging mechanism' to allow the continued free flow of personal data from the EEA to the UK for up to 6 months, pending a potential EU adequacy decision in favour of the UK data protection regime, that 'bridge' comes with conditions that the UK might conceivably breach; and an adequacy decision is not assured.
Meanwhile the EDPB is also consulting until 2 March on the Examples for giving notifications of data breaches.