The European Data Protection Board (“EDPB”) demands additional measures for data transfers to Russia. It published a statement on this on 12nd July 2022.
The EDPB specifically highlighted that Russia will not benefit from an adequacy decision by the European Commission under Article 45 of the GDPR (Regulation (EU) 2016/679). Transfers of personal data to Russia must therefore be carried out using one of the transfer instruments provided for in Chapter V of the GDPR. Adequate safeguards for transfers of personal data to Russia must also be ensured.
In order to ensure compliance with GDPR for personal data, data exporters have to assess on a case-by-case basis whether there are any laws and/or practices in force in Russia in relation to the transfer. Such practices could, for example, allow access to personal data by Russian authorities for law enforcement and national security purposes and would thus affect the effectiveness of the adequate safeguards.
Thus, the EDPB stated that if this is the case, data exporters must take complementary measures to ensure that data subjects are provided with a level of protection that is substantially equivalent to the level of protection within the EU or EEA.
Data exporters who fail to ensure compliance shall suspend data transfers.