Borders final draft 10
![borders final draft 10 borders final draft 10](https://cdn.vdocuments.site/img/1200x630/reader025/reader/2021042300/60717ea456f1b961e74abb0c/r-1.jpg)
The Recommendations state that the derogations must be used: “in a way which does not contradict the very nature of the derogations as being exceptions from the rule…Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.” While the first draft of the Recommendations stated that the derogations under GDPR Article 49, such as consent or contractual necessity, should only be used for occasional and non-repetitive transfers, and interpreted restrictively, the final draft Recommendations provides a slightly broader scope. Mechanisms such as the SCCs and Binding Corporate Rules should be used for regular, repetitive transfers. Organizations should identify the data transfer mechanism relied on under Chapter V of the GDPR, if necessary. The mapping exercise should include onward transfers made by processors to whom data is disclosed. Organizations should map their data transfers, keeping in mind that access from a third country ( e.g., storage in the cloud outside the EU) constitutes a transfer, and verify that the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred. The final Recommendations retain the six-step process set forth in the first draft of the Recommendations, as described below:
![borders final draft 10 borders final draft 10](https://i.ytimg.com/vi/KaJ58F6uaBY/maxresdefault.jpg)
If the level of protection is not essentially equivalent, organizations must assess whether supplementary measures should be implemented. In that case, the Court of Justice of the European Union required organizations relying on appropriate safeguards, such as the SCCs, under Article 46 of the EU General Data Protection Regulation (“GDPR”) to transfer personal data outside the European Economic Area (“EEA”) to verify, on a case-by-case basis, whether the law of the destination country ensures a level of protection for the personal data that is essentially equivalent to that in the EEA. The EDPB released its first draft of the Recommendations in November 2020, following the Schrems II judgement.
![borders final draft 10 borders final draft 10](https://cdn.factcheck.org/UploadedFiles/Trumps-Numbers-2021final-draft.png)
On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).