Certified Information Privacy Professional – Europe (CIPP/E) — Question 250

In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

Answer options

• A. Adopting a risk-based approach and implementing supplementary measures as needed.
• B. Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.
• C. Obtaining explicit consent from each EU citizen for every individual data transfer.
• D. Storing all personal data within the borders of the European Union.

Correct answer: A

Explanation

The recommended approach by the EDPB is to adopt a risk-based strategy while implementing supplementary measures as required, which helps ensure compliance with data protection standards. The other options are either impractical, such as obtaining explicit consent for every transfer, or not aligned with the EDPB's guidance, like the absolute requirement for unbreakable encryption or storing all data exclusively within the EU.