Question 6
UnclassifiedAfter Schrems II, why do organizations often evaluate supplementary measures alongside standard contractual clauses?
Correct answer: B
Explanation
After Schrems II, standard contractual clauses alone may not ensure an “essentially equivalent” level of protection if the destination country’s laws allow government access to data. Organizations therefore assess “supplementary measures” to address government-access and other risks in the destination context.
Why each option is right or wrong
A. Because SCCs were banned worldwide
B. Because transfer assessments may need to address government-access and other risks in the destination context
Under the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II, Case C-311/18, 16 July 2020), SCCs remain valid only if, in practice, the law and surveillance powers of the third country do not prevent compliance with the clauses; if they do, exporters must adopt additional safeguards or suspend the transfer. The EDPB’s Recommendations 01/2020 require a transfer risk assessment focused on destination-country government access and related legal risks, because the exporter must verify whether the protection is effectively equivalent in context, not just on paper.
C. Because SCCs can be used only for paper records
D. Because supplementary measures are required only for domestic U.S. transfers