"EDPB FAQ 3
: Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer?
: No, the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection as in the EU. This assessment has to be taken into account for any transfer to the U.S."
"EDPB FAQ 10:
What kind of supplementary measures can I introduce if I am using SCCs or BCRs to transfer data to third countries?
The supplementary measures you could envisage where necessary would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection.
The Court highlighted that it is the primary responsibility of the data exporter and the data importer to make this assessment, and to provide necessary supplementary measures.
The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.
The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance."