Insights European Data Protection Board adopts Statement on personal data transfers to the Russian Federation


The EDPB notes that because Russia is in a de facto state of war against Ukraine, it has been excluded from the Council of Europe and is therefore no longer a contracting party to Council of Europe conventions and protocols. Russia will also cease to be a High Contracting Party to the European Convention on Human Rights as of 16 September 2022.

Although Russia will continue to be a contracting party to Council of Europe conventions and protocols that are open to non-Member States, e.g. Convention 108, the way Russia will participate in these instruments is still to be determined.

These changes could have a significant impact on the level of protection of data subjects, the EDPB says.

The EDPB observes also that Russia does not benefit from an adequacy finding by the European Commission in accordance with Article 45 of the GDPR. Therefore, transfers of personal data to Russia must be carried out using one of the other transfer instruments set out in Chapter V of the GDPR. The EDPB notes that when personal data is transferred to Russia, data exporters under the GDPR should assess and identify the legal basis for the transfer and the instrument to be used among those provided by Chapter V GDPR (e.g. Standard Contractual Clauses or Binding Corporate Rules), in order to ensure the application of appropriate safeguards.

Further, following the CJEU Schrems II ruling, and in accordance with the EDPB Recommendations on supplementary measures, data exporters should assess if, in the context of the specific transfer, there is anything in the law and/or practices in force in Russia (in particular, regarding access to personal data by the Russian public authorities, especially for criminal law enforcement and national security purposes) that may impinge on the effectiveness of the appropriate safeguards provided by the transfer instruments identified. If this is the case, data exporters should identify and adopt supplementary measures that are necessary to ensure that data subjects are afforded a level of protection that is essentially equivalent to that guaranteed within the EEA. Where such assessment leads to the conclusion that compliance is not (or no longer) ensured, and that no supplementary measures could be identified, data exporters must suspend data transfers. To read the EDPB’s Statement in full, click here.