In the recent Schrems II decision (C-311/18)), the Court of Justice of the European Union, reiterated that protection granted to personal data in the EEA must travel with the data wherever it goes. Transferring personal data to third countries ‘must not be a means to water down or undermine the protection it is afforded in the EEA’.

The level of protection in a third country does not have to be identical but must be ‘essentially equivalent’ and the court ruled that standard contractual clauses as a transfer tool may serve to ensure via contract, an essentially equivalent level of protection for data transferred to third countries.

Availing oneself of standard contractual clauses and other Art 46 transfer tools alone will not be enough to ensure essentially equivalent level of protection. Data exporters must conduct a case-by-case risk assessment of each transfer taking into account the circumstances of the transfer and any supplementary measures put in place to ensure that personal data is adequately protected.

To assist data exporters with this risk assessment, the European Data Protection Board has now published in its Recommendation, a roadmap of steps to take to assess whether a data exporter needs to put in place supplementary measure to be able to legally transfer data outside the EEA.

This article is a summary of the recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Step 1 – Know your transfers

Record and map all transfers to third countries. Build records of processing activities that you may be obliged to maintain under Art 30.

Always consider onward transfers when mapping transfers.

Verify that the data transfer is adequate, relevant and limited to what is necessary – in line with the principle of data minimisation.

These steps must be carried out before any transfer is made and updated prior to resuming transfers after suspension of data transfer operations.

Develop and maintain a map of destinations. You must know where the personal data you exported may be located or processed by importers.

Step 2 – What are your transfer tools?

If you are transferring personal data on the basis of a Commission adequacy decision, you must continue to monitor if the adequacy decisions relevant to your transfer are revoked or invalidated. Take for example the revocation earlier this year, of the US Privacy Shield and its impact.

Art 46 provides other transfer tools containing appropriate safeguards that exporters can use in the absence of an adequacy decision:

  • Standard contractual clauses (SCCs)
  • Binding corporate rules
  • Codes of conduct
  • Certification mechanisms
  • Ad hoc contractual clauses

Whatever tool is chosen, it must be ensured that overall, the transferred personal data will benefit from essentially equivalent level of protection.

Note that the situation in the third country may require the data exporter to supplement these transfer tools and safeguards with additional measures to ensure essentially equivalent level of protection.

A third way to transfer data to a third country is through the derogations set out in Art 49. The derogations however must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive, so should not be used if you intend to transfer data on a regular basis. Guidelines on derogations can be found here.

Step 3 – Assess whether Art 46 transfer tool is effective

Selecting the transfer tool alone may not be enough. The transfer tool must ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer i.e. it must be effective in practice.

The level of protection afforded in the third country must be essentially equivalent to that guaranteed in the EEA.

You must assess, if anything in law or practice might impinge on the effectiveness of the appropriate safeguards of the Art 46 transfer tool.

The assessment must take into consideration all the actors participating in the transfer (controllers, processors and sub-processors).

Look at the characteristics of each transfer and determine how the domestic legal order (law and regulation) of the third country applies to the transfers.

The applicable legal context will depend on the circumstances of the transfer:

  • Purposes for which the data are transferred and processed ;
  • Types of entities involved in the processing (public/private; controller/processor);
  • Sector or industry in which the transfer occurs ;
  • Categories of personal data transferred;
  • Whether the data will be stored in the third country or whether there is only remote access to data stored within the EU/EEA;
  • Format of the data to be transferred (plain text/pseudonymised or encrypted);
  • Possibility that the data may be subject to onward transfers from the third country to another third country.

Assess and identify if any laws impinge on commitments contained in the Art 46 transfer tools.

Verify that data subjects will be able to exercise their rights in the context of international transfers effectively.

Consider is particular laws which require the disclosure of personal data to public authorities. If these requirements are limited to what is necessary and proportionate in a democratic society, they may not impinge on the commitments contained in the Art 46 transfer tool. EU Standards contained in Arts 47 and 52 of the EU Charter of Fundamental Rights must be used as a reference to assess whether such access is limited to what is necessary and proportionate.

Conduct assessment with due diligence and document it thoroughly, as you will be held accountable for the decision you take on that basis.

Conclusion of assessment:

  • Effectively ensures that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that guaranteed within the EEA. The third country’s legislation and practices applicable to the transfer put the data importer in a position to comply with its obligations under the chosen transfer tool. You should re-evaluate at appropriate intervals, or when significant changes come to light.
  • Does not effectively ensure an essentially equivalent level of protection. The data importer cannot comply with its obligations, owing to the third country’s legislation and/or practices applicable to the transfer. The CJEU underlined that where Article 46 GDPR transfer tools fall short, it is the responsibility of the data exporter to either put in place effective supplementary measures or to not transfer personal data.

Step 4 – Adopt supplementary measures

If following an assessment, you find that the Art 46 transfer tool is not effective, you must then consider if any supplementary measures exist to enhance the safeguards contained in the transfer tools, which enable it to provide a level of protection that is essentially equivalent.

Supplementary measures may have a contractual, technical or organisational nature and may be implemented individually or in combination to support and build on each other to enhance the level of protection.

In some circumstances only technical measures might work to provide the level of protection required.

The following list of factors should be considered to identify which supplementary measures would be most effective in protecting the data transferred:

  • Format of the data to be transferred – plain text, pseudonymised or encrypted;
  • Nature of the data;
  • Length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them;
  • Possibility that the data may be subject to onward transfers.

If you have effective supplementary measures which together with the Art 46 transfer tool, provides an essentially equivalent level of protection, the transfer is permitted.

If you do not have effective supplementary measures, you must not start transferring personal data and if you are already transferring personal data, you are required to suspend or end the transfer. The data transferred to the third country and copies thereof must be returned or destroyed.

If you continue to transfer despite the fact that the data importer is unable to comply with the commitments under the Art 46 transfer tool, you should notify your competent supervisory authority, who may then suspend or prohibit data transfer and may impose corrective measures such as fines.

It is important that all companies who currently transfer or intend to transfer personal data to third countries, conduct a risk assessment immediately to ensure compliance.

Step 5 – Procedural steps

If the supplementary measure is in addition to SCCs and it does not contradict, directly or indirectly, the SCCs and they ensure an essentially equivalent level of protection, there is no need to require an authorisation from your competent supervisory authority.

Where you intend to modify the SCCs or where the supplementary measure contradict the SCCs, you will no longer be deemed to be relying on SCCs and must seek an authorisation from your competent supervisory authority.

The EDPB is still considering the impact of the Schrems II decision on BCRs and ad hoc contractual clauses and intends to provide more details soon as to whether additional commitments may need to be included.

Step 6 – Re-evaluate at appropriate intervals

You must monitor on an ongoing basis, developments in the third country and how these developments must affect your initial assessment of the level of protection.

You should put in place mechanisms to ensure that you can promptly suspend or end transfers where the data importer breaches its commitments under the Art 46 transfer tool or the supplementary measures are no longer effective.

Conclusion

It is important that all companies who currently transfer or intend to transfer personal data to third countries, conduct a risk assessment immediately to ensure compliance.