The transfer of personal data to third countries has been a pressing issue ever since the recent Schrems II judgment of the Court of Justice of the European Union (CJEU), which marked the EU-U.S. Privacy Shield Framework as no longer valid as a mechanism that allows compliance with EU data protection requirements when transferring personal data from the European Union to the United States.
Following the judgment, the European Data Protection Board (EDPB) published Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
The Recommendations explain the responsibilities of exporters of personal data (whether they are controllers or processors, private entities or public bodies), as well as the steps they need to take to ensure legal data transfer to third countries.
Although the level of protection in third countries does not have to be identical to that guaranteed within the EEA, the Recommendation repeatedly emphasizes that the level of protection has to be essentially equivalent.
The EDPB identifies six steps set out to help data exporters determine their responsibilities and options when transferring personal data to non-EU countries.
6 steps to ensure appropriate measures for data transfer
1️⃣ Identify transfers of personal data to third countries
2️⃣ Identify the transfer tools you are relying on
3️⃣ Assess the legal framework of the third country
4️⃣ Identify additional safeguards
5️⃣ Adopt the necessary procedures
6️⃣ Regularly monitor and review the adequacy of the protective measures adopted
STEP 1: Identify transfers of personal data to third countries
Before you start with any type of activity around data transfer, you will have to know where your data is. The EDPB advises exporters to record and map all transfers of personal data to third countries.
Although that might prove to be a difficult task to perform, being aware of where the personal data is transferred to is essential for ensuring the equivalent level of protection.
Exporters must also keep track of whether the transferred data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country (data minimization principle).
STEP 2: Identify the transfer tools you are relying on
A second step is to verify the data transfer tools you are relying on during the transfer, listed under Chapter 5 GDPR.
If the EU Commission has already declared the country, region, or sector to which you are transferring the data as adequate, you only have to monitor that the adequacy decision is still valid.
The effect of an adequacy decision is that personal data can flow from the EU (and Norway, Liechtenstein, and Iceland) to a third country without any further safeguard being necessary.
However, adequacy decision can cover just limited parts of the country or can be limited to certain types of data transfers. Check all adequacy decisions by the European Commission.
The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection.
If there is no valid adequacy decision, you can rely on one of the transfer tools listed under Article 46 GDPR for transfers that are regular and repetitive. The appropriate safeguards you can rely on in case there is no valid adequacy decision can be:
➡️ SCCs or standard data protection clauses
➡️ BCRs or binding corporate rules
➡️ Codes of conduct
➡️ Certification mechanisms
➡️ Ad hoc contractual clauses
If the transfer is occasional and non-repetitive you will have to check if you can rely on one of the derogations from Article 49 GDPR.
Derogations under Article 49
It is important to note that transferring personal data to third countries relying on any derogation leads to increased risks for the rights and freedoms of individuals. Therefore, it should only be used as an exception, not the rule. The derogations under Article 49 GDPR can be applicable in situations where:
➡️ Individual (data subject) has explicitly consented to the proposed transfer.
➡️ Transfer is necessary for the performance of a contract
➡️ Transfer is necessary for important reasons of public interest
➡️ Transfer is necessary for the establishment, exercise or defense of legal claims
➡️ Transfer is necessary in order to protect the vital interests of the individual or of other persons
➡️ Transfer made from a public register
➡️ Compelling legitimate interests
The EDPB has issued Guidelines 2/2018 on derogations of Article 49 under Regulation so be sure to explore whether you can rely on any derogation for transferring data to a third country.
STEP 3: Assess the legal framework of the third country to which you transfer personal data
If your data transfer is not based on adequacy decision nor derogation, you need to assess whether the transfer tools you are relying on are effective in the light of all circumstances of the transfer.
When you are relying on any of the transfer tools described in Article 46 GDPR, assess if there is a third country law or practice that affects the appropriate safeguards of the transfer tools you are relying on in your specific transfer.
For example, some countries do not permit the import of encrypted data and some industry sectors can be subject to specific law (like telecommunication or banking).
Your transfer tools should provide the same level of protection to the transferred personal data as guaranteed in the EEA, including enabling individuals to exercise their rights granted under the GDPR.
Document your assessment, so you can support your decision if necessary. Your assessment should include everyone included in the transfer (controller, processors, sub-processors…).
The EDPB has issued European Essential Guarantees Recommendations that can be used as a guide in assessing whether the legal framework governing access to personal data by public authorities in a third country, can be regarded as a justifiable interference or not.
STEP 4: Identify and adopt additional safeguards if the legislative framework of the third country is not appropriate
This step is only necessary If you have assessed that the legislative framework of the third country affects your transfer tools.
If that is the case, you will need to adopt supplementary measures, which, applied in combination with the safeguards contained in transfer tools, could bring the level of protection up to the EU standard of essential equivalence.
However, some supplementary measures may be effective in some countries, but not necessarily in others. Therefore, you should select supplementary measures carefully and guarantee the same level of protection for your transfers.
If no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer, you must avoid, suspend, or terminate the transfer.
Just as in the previous step, document your assessment.
STEP 5: Adopt the necessary procedures
The fifth step means you should take any procedural steps required to implement effective supplementary measures. For example, this might include obtaining approval from a supervisory authority.
1️⃣ Standard data protection clauses
If you are relying on supplementary measures in addition to SCCs, there is no need for you to request authorization from the supervisory authority if supplementary measures do not contradict the SCCs.
Additional clauses should not restrict the rights and obligations stated in the SCCs or lower the level of data protection. You should be able to demonstrate this according to the accountability principle.
If you intend to modify the standard data protection clauses or if the supplementary measures added contradict the SCCs, you can no longer rely on standard contractual clauses and will have to ask for authorization from the supervisory authority.
2️⃣ BCRs and Ad hoc contractual clauses
Third country law may affect the protection provided by instruments of contractual nature like binding corporate rules and ad hoc contractual clauses since the commitments taken by the parties do not bind third country public authorities.
However, the precise impact of the Schrems II judgment on BCRs and other transfer instruments is still under discussion.
STEP 6: Regularly monitor and review the adequacy of the protective measures
The sixth step will be to re-evaluate, at appropriate intervals, the level of protection afforded to the data you transfer to third countries and to monitor if there are any developments in the third country that may affect your initial assessment.