Blog details



The data protection industry is constantly evolving as the GDPR is implemented by organisations and enforced by the Data Protection Authorities. 


New year, new beginnings? That is not always the case, at least definitively not when the previous year has provided valuable insights for the upcoming one. Considering that the GDPR has been in application since 2018, it is still a relatively new piece of legislation about which stakeholders are still learning, including organisations, Data Protection Authorities (DPAs) and the broader society. This is the reason why we need to take a close look to any development in the industry, as it may be determining for the future of data protection. In this post we go through the main takeaways of 2021.

Schrems II and new SCCs

After Schrems II and the caveats that the CJEU added to the use of SCCs, the EU Commission adopted a new set of SCCs for the transfer of personal data to third countries in June 2021 as we informed in Aphaia’s blog. These new SCCs brought practicality and flexibility through a modular approach which makes them suitable for any type of data transfer, regardless of the role taken by the controller or the processor as the data exporter or the data importer. The new SCCs also include a toolbox and some supplementary measures aimed at helping controllers and processors to make safe international data transfers, built on the need for performing a Data Transfer Impact Assessment which the parties can use to identify the risks of the transfer and their ability to comply with the clauses. 

It should be noted that the ICO has not pronounced about the new SCCs yet. The ICO is planning to produce its own SCCs for restricted transfers made from the UK.

Other updates

Together with the new SCCs for international data transfers, the EU Commission also published a set of SCCs covering Article 28 GDPR requirements. However, unlike SCCs for international data transfers, these are not mandatory and controllers and processors can still use their own terms in data processing agreements.  

Not new in 2021 but still work in progress over the year, we find the rules on cookies and the concept of joint controllership. Many organisations are still updating their cookie banners to include toggles or checkboxes for each not strictly necessary cookie. Cookies are also relevant in terms of data protection roles as, as any other joint personal data processing, if there are two or more parties involved, they may trigger joint controllership as a result of converging decisions.

GDPR enforcement

The impact of the work carried out by the DPAs is not clear at this stage. First because the GDPR has only been around since 2018 and we all are still learning, secondly because GDPR investigations are lengthy and consume a lot of time, running into several months, and thirdly because each DPA has its own criteria beyond Article 83 GDPR. For example, Portugal’s GDPR national implementation legislation places a 3 year moratorium on administrative fines to public bodies. On the other hand, in Spain no fines can be imposed on the public sector. Aligned actions and criteria would help to enhance the consistency mechanism, contributing to the consistent application of the GDPR throughout the EU.  

The role of the DPAs may also change in the upcoming years as new pieces of legislation enter into force, such as the EU AI Regulation Proposal.

The regulatory fines

Regarding fines, it should be noted that the GDPR fines have ramped up significantly in recent months, although it should be taken into account that not only the amount of the fine is important when it comes to infringements, but also the cost that the process implies for the organisations involved and the damage to the corporate reputation. 


I had the chance to discuss this with JC Gaillard from Corix Partners in their Cyber Security Transformation Podcast. You can access it [here].


Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today


Prev post
Nuevo Comisionado de la Información en Reino Unido; John Edwards
January 6, 2022
Next post
January 11, 2022

Leave a Comment