The European Data Protection Board (EDPB) adopts final version of recommendations regarding personal data transfers to third countries after Schrems II

The EDPB adopted on 18 June a final version of recommendations regarding transfer of personal data to countries outside the EEA (third countries) that do not provide sufficient protection for personal data and where “supplementary measures” may be required.[1] The background for the recommendations is the CJEU’s ruling in Schrems II (see here), which since its publication has caused uncertainty regarding transfer to third countries and, in particular, the usage of public cloud services that include such transfer.

The CJEU found in Schrems II that when personal data is transferred to a third country, the protection for the personal data must be essentially equivalent to the level of protection guaranteed within the EEA.

The recommendations were adopted to help personal data exporters to assess what supplementary measures (technical, contractual or organisational) that may be required in order to compensate for the potentially insufficient protection of personal data in the receiving country. Such assessment may also lead to the conclusion that the transfer cannot be performed, and that certain public cloud services therefore cannot be used in the intended manner.

For this assessment, the EDPB presents a list consisting of six steps:

  1. Map all the third country transfers (“know your transfers”).
  2. Verify the transfer tool in chapter V in the GDPR that your transfer rely on, for example standard contractual clauses, binding corporate rules etc.
  3. Assess whether anything in the law and/or practices in force in the third country may impinge on the effectiveness of the transfer tool for the current transfer.
  4. Identify and adopt supplementary measures that may be required in order to ensure a level of protection for the personal data that is essentially equivalent to the level of protection guaranteed within the EEA.
  5. Take any formal procedural steps that the adoption of your supplementary measure may require, depending on what transfer tool in Article 46 in the GDPR that your transfer is relying on.
  6. Re-evaluate, at appropriate intervals, the level of protection for your personal data and ensure that nothing that can affect the level of protection has occurred or will occur.

In the final version of the recommendations, the EDPB emphasizes the assessment of the level of protection in the third country to which the personal data is transferred (step 3 above) and requires an extensive and accurate investigation and assessment of the data protection conditions in the third country. However, the EDPB states that if it is uncertain whether the data importer is covered by “a problematic legislation” or not, you are allowed to take into consideration if the data importer or other operators in the same business have been subject for requests for access received from public authorities in the third country. That is one among several other factors that can be taken into consideration when assessing whether there is a reason to assume that a problematic legislation will be applicable on the transferred personal data.

The purpose of the supplementary measures is to compensate for the insufficiency in the third country’s level of protection and to ensure an essentially equivalent level of protection for personal data as the one guaranteed within the EEA. The assessment regarding the need of supplementary measures must be made based on the circumstances in every individual situation and taking into account i.a. the format (encrypted, pseudonymised) and nature of the personal data.

One of the recommendation’s appendices describe seven use cases. Five of them are examples of situations where specific complementary technical measures, such as correctly implemented encryption or pseudonymisation, may constitute sufficient security measures. The two remaining use cases are examples of situations where the EDPB makes the assessment that there are no sufficient technical security measures that can be used to meet the EU level of protection.


The final version of the recommendations gives in some regards a better guidance than the draft, but it is still missing the clear support regarding risk assessment that many operators have been requesting.

Further, EDPB sets high requirements on extensive investigations and complex assessments, in particular regarding the level of protection in the receiving countries, and on how efficient supplementary measures shall be adopted. It appears to be difficult to make these assessments without assistance from experts that have knowledge regarding the third country’s legislation and practice and the authorities requests of access to personal data stored at the data importer.

According to the EDPB, the data importer, i.e the receiver of personal data in a third country, for example a cloud service provider, shall assist the data exporter and provide basis for the assessments. However, EDPB state that not all sources can be used for the assessment. The sourses must be relevant, objective, reliable, verifiable and generally accessible. The EDPB attached to the recommendations a list of sources that can be used for the assessment, i.a. a report from the European Council and other international organisations, academic institutions and non-profit organisations, so-called NGO:s. To our knowledge, there are no reports that assess the level of protection for personal data in different third countries in the manner that the EDPB and Schrems II require.

Out of experience, we know that it is generally complicated to receive sufficient basis from the suppliers in order to make the assessment. That may depend on the suppliers’ lack of competence, or that they are reluctant to inform that the third country’s public authorities may request for access to the data in their services.

Based on the use cases that EDPB mentions in the recommendations, you can draw the conclusion that regarding SaaS services and other cloud services where the personal data must be available in the clear (i.e. without strong encryption or pseudonymisation), there are no supplementary measures that can compensate for insufficiencies in a third country’s level of protection for personal data. This conclusion seems, however, hard to unite with the EBPB’s earlier statement that i.a. the nature of the personal data can be taken into account when assessing security measures.

Please feel free to contact Johan Kahn or Daniel Lundqvist if you have any questions regarding the EDPB’s recommendations or transfer of personal data to third countries.

[1] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0, Adopted on 18 June 2021. The recommendations are an updated version of the draft that EDPB adopted in November 2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Adopted on 10 November 2020 version for public consultations)[1] which we commented here.

Legal Report on the use of Public Cloud Services for Swedish businesses

Kahn Pedersen today publishes an English summary of our previous report on the use of public cloud services for businesses in Sweden. This version includes updated sections regarding the Swedish Protective Security Act and the European Data Protection Board’s draft recommendation for supplementary measures in connection with cross border transfers of personal data to third countries. The report also includes an introduction to our unique tool for legal risk assessment and risk visualization for cloud services – the so-called Folke© Methodology. The report is available for download without charge here >>.

New article for the Swedish Purchasing Counsil

The Swedish Government recently published the draft A Stronger Protection for Sweden’s Security (only in Swedish) with proposals for a number of news and amendments to the Swedish Protective Security Act, which will affect all operators undertaking security-sensitive activities (operators).

The draft, which is supposed to enter into force as early as 1 December 2021, entail significant changes to the Protective Security Act. For example, the obligation to enter into a protective security agreement will include mere collaborations and cooperation, not only procurements. The Government also proposes that operators shall carry out special security assessment as well as suitability assessments before concluding protective security agreements, and that operators will have an obligation to continuously revise existing protective security agreements.

In addition to the obligations becoming more firm, it is proposed that the supervisory authorities be given increased powers, including the possibility of deciding on administrative fees of up to SEK 50 million.

In other words, it is important that all operators becomes familiar with the proposed changes and prepare their operations in advance, so that they are ready when the proposals are implemented in December this year.

Senior Specialist Viktor Robertson and Associate Albin Svensson have analysed the proposed changes and summarised their consequences for operators, which have been published in an article on the Swedish Purchasing Counsil’s website (only in Swedish).

Chambers ranks Kahn Pedersen as a leading firm in all practice areas

For the second consecutive year, Chambers & Partners ranks Kahn Pedersen’s practice groups Public and Digital in the very highest category “Band 1”. The individual lawyers with Kahn Pedersen are also considered as some of the most regarded in Sweden within their practice areas. For Public Procurement, Kristian Pedersen is ranked in Band 1. For Information Technology, Johan Kahn is ranked as one of two Swedish lawyers in Band 1. Erik Olsson is ranked in Band 2 for Public Procurement. Daniel Lundqvist is previously ranked in Band 2 for Fintech is ranked in Band 3 for Information Technology.

Not many law firms in the World would have all of their practice groups ranked in Band 1. Our high degree of specialization of course makes it easier than for a full-service firm that naturally could not have the same focus. That is why we have chosen to be the firm we are.” Says Kristian Pedersen, CEO

New Article in Svensk Juristtidning

Christian Hybbinette and Michael Nevinson have published an article in the Swedish legal journal Svensk Juristtidning. The article outlines the news in the latest editions of the standard agreements for the Nordic market, for the supply of machinery and standardized goods and other bulk items: NL 17, NLM 19 and NLS 19. In the article, the authors also give an account for the differences compared to the older version of each respective standard agreement.

Kahn Pedersen top-ranked again

The British ranking institute Who’s Who Legal has once again ranked Kahn Pedersen as a leading advisor within the firm’s both practice areas – Digital and Public. Kristian Pedersen is ranked as ”Global Elite Thought Leader” in the Government Contracts category, as well as ”Global Leader” and ”National Leader” in said category. Erik Olsson is ranked as  ”Global Leader” and ”National Leader”, also in the category Government Contracts. Johan Kahn is ranked as ”Thought Leader” in the categories ”Information Technology”, ”Data Privacy and Protection” and “Data Security”. Han he is also ranked as “Global Leader” and ”National Leader” in said categories. For more information, please see:

Daniel Lundqvist top-ranked by Chambers & Partners again

We are delighted to announce that Daniel Lundqvist, partner at Kahn Pedersen, has been ranked as a leading legal advisor for “Fintech” once again. In its 2021 rankings, the international ranking institute Chambers & Partners ranks Daniel as one of three leading advisors in Sweden and states that Daniel is ‘very, very skilled in outsourcing deals and IT contract negotiations in the FinTech space. He has really grown his practice over the years.

Digitalization in the finance sector continues to be one of our core expertise areas within our Digital practice. We are very pleased that Daniel and our Digital-team have represented several Swedish banks, bank joint ventures and insurance companies on issues related to cloud migration, outsourcing and strategic technology sourcing. In connection with these assignments, we have developed several unique methods to analyze and visualize legal risk in connection with digitalization. As an example, our recent report on public cloud services >> [only available in Swedish] introduces the so-called Folke© Model, which we have found extremely useful in connection with cloud migration”, says Kristian Pedersen, MP and CEO of Kahn Pedersen. “We think Daniel’s ranking shows that our legal expertise in this area is market-leading, which is perfectly in line with our ambitions as a highly-specialized law firm”, Kristian Pedersen adds.

Kahn Pedersen further strengthens the Digital team

At the beginning of next year, Christian Hybbinette, Fredrik Sandström and Michael Nevinson will be joining Kahn Pedersen law firm, Christian as Partner, Fredrik as Senior Associate and Michael as Senior Associate. The trio joins from AG Advokat, where they are working today in the same department with a focus on the industrial sector.

Christian has nearly 20 years of experience in providing contract-related advice to clients in the industrial and real estate sectors, and was prior to his time at AG Advokat the head of Vinge’s Commercial Agreements practice. Fredrik has worked at AG Advokat since 2015 and has, among other things, been seconded to one of the world’s largest suppliers of renewable solutions based on wood and biomass. Michael has worked at AG Advokat since 2018 and prior to that served as a law clerk.

“Sweden is facing a huge transformation of the industry in order to keep up with international development. Christian and team have combined expertise in Industry 4.0 that will really strengthen our Digital offering and will alow us to meet the existing demand that we see on the market. We are very happy that they have chosen to join Kahn Pedersen because it means that we are both able to bring market-unique expertise on the industrial side but also that we get some of the country’s foremost contract lawyers on our team.” says Kristian Pedersen, Partner and CEO, Kahn Pedersen.