On 18 June 2021, the European Data protection board (EDPB) adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (hereinafter ‒ Recommendations).
For any data controller and data processor, the topic of international data transfers remains a challenge, because clear guidance on it is hard to find. The situation has got even more complicated since the Schrems II decision of the Court of Justice of the European Union, which invalidated the Privacy Shield as a valid data transfer, and upheld the validity of the standard contractual clauses (SCC) subject to the implementation of „supplementary measures” (where necessary) that fill these gaps in the protection and bring it up to the level required by EU law.
These Recommendations provide exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.
Step 1. Know your transfers. Data exporters should record and map all international personal data transfers and verify whether they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are operated.
Step 2. Verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR.
- If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid.
- In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR:
- standard data protection clauses (SCCs);
- binding corporate rules (BCRs);
- codes of conduct;
- certification mechanisms;
- ad hoc contractual clauses.
Step 3. Assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
This assessment must contain elements concerning access to data by public authorities of the third country of your importer such as:
- Elements on whether public authorities may seek to access the data with or without the data importer’s knowledge;
- Elements on whether public authorities may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents.
Special attention should be given to the Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.
Use only sources of information that meet the following requirements: relevant, objective, reliable, verifiable and publicly available or otherwise accessible information.
Your assessment may ultimately reveal that transfer tool you rely on either:
- Effectively ensures that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that guaranteed in the EEA.
- Does not effectively ensure an essentially equivalent level of protection. Then you have to suspend the transfer or implement supplementary measures.
Step 4. Identify and adopt supplementary measures. These recommendations contain a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective.
Where you are not able to find or implement effective supplementary measures, you must not start transferring personal data to the third country concerned on the basis of your chosen transfer tool.
Step 5. Adopt procedural steps if you have identified supplementary measures. If you have identify adequate supplementary measures, you have to implement supplementary procedural steps or additional requirements before use.
Step 6. Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.
Recommendations provide for a road map of good practices for data exporters that need to be evaluated to assess whether the legislation of the third countries governing access to personal data by public authorities is to be regarded as a justifiable interference or not.
Data exporters will have to make extra efforts and, on a case-by-case basis, assess their current and intended transfers of personal data.
If you need assistance in assessing the transfer of data to third countries, please consult the specialists of ECOVIS ProventusLaw.
Prepared by Brigida Bacienė, Certified Data Protection Expert (CIPP/E) of ECOVIS ProventusLaw