On 11 November 2020, the European Data Protection Board (EDPB) published new recommendations on extra measures that businesses should consider the need for:

• IF they transfer personal data from the European Economic Area to countries that are not considered by the European Commission (EC) to offer adequate data protection;
• AND they rely on standard contractual clauses, binding corporate rules or other "appropriate safeguards”.

These recommendations and measures are designed to ensure compliance with EU data protection laws.  In particular they focus on the requirement to carry out an assessment of the national law of the third country and if necessary put in place supplementary technical measures (such as encryption and pseudonymisation) for personal data transfers.

The recommendations apply to the UK and may have to be considered for transfers of personal data from the EEA to the UK following the end of the Brexit transition period if the EC does not make an adequacy decision for the UK.  The recommendations take immediate effect but are open for public consultation until 30 November 2020.  

The EDPB gives some examples of personal data transfers which, together with supplementary measures, might offer an adequate level of data protection:

• Transfer of pseudonymised data where only the EEA data exporter has the key to allow a third party to attribute the personal data to an individual (and not even the public authorities in the third country can attribute the personal data).
• Encrypted data storage in a third country for backup and other purposes which does not require access to data in the clear and the encryption keys are retained solely under the control of the EEA data exporter.

Link to the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Adopted on 10 November 2020: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf