On November 11, European Data Protection Board (EDPB) published their anxiously-awaited recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures. Both documents were adopted as a follow-up to the decision in Schrems II made by Court of Justice of the European Union (CJEU).
CJEU noted that the level of protection in third countries does not need to be identical to that guaranteed within the European Economic Area (EEA) but essentially equivalent, therefore, the aim of the recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
The four European essential guarantees for surveillance measures
Surveillance Recommendations identify the following European essential guarantees:
- processing should be based on clear, precise and accessible rules;
- necessity of proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- and independent oversight mechanism should exist;
- effective remedies need to be available to the individual.
The four European essential guarantees are to be seen as core elements to be found when assessing the level of interference with the fundamental rights to privacy and data protection. They should not be assessed independently, as they are closely interlinked, but on an overall basis, reviewing the relevant legislation in relation to surveillance measures, the minimum level of safeguards for the protection of the rights of the data subjects and the remedies provided under the national law of the third country. These Surveillance Recommendations plays very important role when outlining the elements to be taken into account when evaluating foreign laws in step 3 defined in Supplementary Transfer Measures Recommendations.
Steps for applying the principle of accountability within data transfers
Supplementary Transfer Measures Recommendations address, among other things, the principle of accountability within data transfers, to be applied in accordance with the 6 steps:
Step 1. Know your data transfers;
Step 2. Identify the transfer mechanism you rely on. Adequacy decisions (GDPR Art. 45) or derogations (GDPR Art. 49) or appropriate safeguards such as standard contractual clauses; binding corporate rules, etc. (GDPR Art. 46);
Step 3. Assess whether the adopted transfer mechanism is effective in the place of destination of your data. If there are gaps in the level of protection, you shall go to Step 4.
Step 4. Adopt supplementary measures to fill in gaps in the level of protection. If supplementary measures cannot fill in gaps, do not start transferring personal data or suspend/end ongoing transfers.
Step 5. After the identification of effective supplementary measures, address the procedural steps related to the specific transfer mechanism;
Step 6. Monitor and re-evaluate the assessment at appropriate intervals.
Supplementary measures examples
The Annex 2 of the Supplementary Transfer Measures Recommendations provides a non-exhaustive list of supplementary measures examples, including:
- technical measures;
- additional contractual measures;
- organizational measures.
Supplementary Transfer Measures Recommendations provides the plan what shall be done, potential source of information, and some examples of supplementary measures that could be put in place. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions, they take on that basis, in line with the GDPR principle of accountability. Moreover, data exporters should know that it may not be possible to implement sufficient supplementary measures in every case. The Supplementary Transfer Measures Recommendations will be submitted to public consultation. They will be applicable immediately following their publication.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances
Prepared by attorney at law Loreta Andziulytė and assistant attorney at law Milda Šlekytė