Recommendations on supplemental measures to ensure compliance with the EU level of protection of personal data


The Dutch Confederation of Dutch Industries and employers (VNO-NCW / MKB-Nederland) welcomes the possibility to provide input on the proposed Recommendations on supplemental measures from the EDPB.


We appreciate the effort the EDPB put into drafting the Recommendations on supplemental measures, illustrated with examples, with the aim to provide businesses – in the aftermath of the Schrems-II judgment - with guidance on performing a risk assessment in order to determine which organizational, contractual and/or technical measures to take to supplement the SCCs to mitigate the risks of a specific data transfer to a third country.


Many companies and other organisations, big and small, take part in the global digital economy, an economy that does not recognize borders. As a result of (fast) technological developments and data flows the digital economy will be able to expand in the near future and, for instance, making it possible for SMEs to take their part in the digital economy which is an essential development for their resilience and sustainable development. New European legislation initiatives such as the Digital Services Act and the Data Governance Act have the ambition to empower such growth and strengthen the position of Europe in the global market.


Unfortunately the current take by the EDPB in its Recommendations will undermine this singlehandedly. Although the EDPB alludes in its Recommendations to free privacy protected global data flows around the world, close reading of these Recommendation shows us otherwise. Bottom line is that the only usable supplemental measure according to the EDPB are technical measures, namely encryption, pseudonymization and splitting the data and if this fails, no transfer of any personal data is allowed to third countries. Irrespective of the specific risk of actual harm / impact on the data subjects in question.


The EDPB is of the opinion that no contractual or organization measures or combination of them can be put into place to enable the data transfer, although the harm / impact on the data subject in question is relatively low. We propose a risk based approach which factors in the specific risk of actual harm / impact on the data subjects in question, taking into account all relevant factors of the data transfer and stay closely aligned with the spirit of the GDPR which fundament is a risk based approach; as well as a holistic view by taking into account other relevant fundamental rights in play.


We also propose the EDPB takes an active role in assisting / taking out of hands the assessment of third countries laws. Assessing third country laws is not only too far reaching for most organizations (due to the significant expert resource investment it would take), especially the smaller ones (which would lead to a shift on the level playing field), it will also lead to fragmentation in the internal market which in and of itself does not contribute to increased protecting of the EU citizen’s personal data. Last but not least we call for the Recommendations to form a coherent whole with the updated SCCs.


We would like to take this opportunity to address some points of concern regarding the Recommendations on supplemental measures.




The Dutch Confederation of Dutch Industries and employers calls for risk based practical EDPB Recommendations on supplemental measures to enable actual use of the SCCs (and BCRs) for data transfers to third countries. As well as ongoing adequacy negotiations to raise the level of protection in the world.


Zie downloads hieronder voor de volledige documenten.