The European Data Protection Board has said that the new draft standard clauses for: 

  • contracts between controllers and processors within the EEA; and 
  • the transfer of personal data to non-EEA countries, 

are not quite right. Tweaks are needed. 

The new draft clauses for non-EEA transfers remain very important in the Brexit context. While the EU-UK trade deal contains a 'bridging mechanism' to allow the continued free flow of personal data from the EEA to the UK for up to 6 months, pending a potential EU adequacy decision in favour of the UK data protection regime, that 'bridge' comes with conditions that the UK might conceivably breach; and an adequacy decision is not assured.  

Meanwhile the EDPB is also consulting until 2 March on the Examples for giving notifications of data breaches.