Our Response to Schrems II
CBRE is committed to respecting and protecting the data protection and privacy rights of our employees, clients and stakeholders in the EU/EEA and globally. We are taking proactive steps to ensure that international data transfers continue lawfully and in full compliance with the “Schrems II” decision, issued on 16 July 2020 by the Court of Justice of the European Union.
The decision by the EU’s highest court invalidated the EU-US Privacy Shield Framework. It also affirmed the validity of EU Standard Contractual Clauses (SCCs) as a lawful mechanism to transfer personal data from the EU/EEA to non-EU/EEA countries, provided adequate protection under EU law is assured. CBRE is taking proactive steps to ensure that all data transfers continue lawfully and in full compliance with the Schrems II decision, including:
- Continuing to rely on EU SCCs as affirmed by the EU’s highest court to lawfully transfer personal data from the EU/EEA to non-EU/EEA countries, including the U.S. We are closely monitoring and awaiting further guidance from the European Data Protection Board (EDPB), the UK’s Information Commissioners Office (ICO), and other EU supervisory authorities, as well as the European Commission’s progress towards updated SCCs.
- Evaluating alternative lawful transfer mechanisms in those limited instances in which we have relied on CBRE’s EU-US Privacy Shield certification, including the use of GDPR Article 49 derogations, and will publish an updated privacy notice shortly. Prior to the 16th of July, CBRE relied on the Privacy Shield solely for transfers of some personal data collected directly from EU/EEA data subjects by CBRE’s U.S. websites. CBRE remains committed to complying with our obligations under the GDPR and the Privacy Shield program for all personal data transferred in reliance on Privacy Shield.
- Implementing a framework for conducting privacy impact assessments on all extra-EU/EEA data transfers and evaluating appropriate additional safeguards to ensure that all such transfers have an essentially equivalent level of data protection to that which is guaranteed within the EU.
- Exploring increasing EU/EEA data localization.
Finally, CBRE is optimistic that new solutions, such as an enhanced EU-US Privacy Shield Framework, will be found which will allow for the continued free flow of data, so vital to the global economy and international trade relationships, and simultaneously protect and respect individual privacy rights consistent with EU law. For questions about CBRE’s response to the Schrems II decision, please contact CBRE’s Global Data Privacy Office.
Chief Ethics & Compliance Officer