Our feedback focusses mainly on the relevance of international transfers of personal data, particularly by standard data protection clauses and approved codes of conduct, and the general experience with the adoption of Art. 40, 41 GDPR. Some of our key takeaways are:
- It is recommended to enhance legal certainty by introducing standard data protection clauses, particularly for processor-to-processor relationships (interested parties may check out our SDPC project in this context).
- It is recommended to start enabling codes of conduct as additional safeguard for third country transfers, as provided by GDPR.
- Regarding codes of conduct in general several needs of clarification are pinpointed and possible adaptions and enhancements, following practical needs and experience, are suggested.
- Regarding monitoring bodies in general several needs of clarification are pinpointed, with a focus on the relationship of Art. 40 and Art. 41 GDPR, especially related to the formal procedures of approval respectively accreditation.