In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) undermined, to a certain extent, the principles established in previous years for the transfer of personal data outside the EEA, in particular to the US. Many exporters, i.e. controllers and processors transferring data to third countries, were surprised by the verdict and left in confusion. Fortunately, the European Data Protection Board (EDP) came to the aid and adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
These recommendations provide exporters with a series of steps to follow and some examples of supplementary measures that could be put in place.
Step 1 – know your transfers
As a first step, the EDPB advises you to just know where the personal data goes. This is necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed.
Step 2 - verify the transfer tool your transfer relies on
If the country, region or sector to which you are transferring the data is declared by EC as adequate, through one of its adequacy decisions under Article 45 GDPR, you will not need to take any further steps, besides monitoring that the decision remains valid.
In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR. In cases of occasional and non-repetitive transfers you may be able to rely on one of the derogations provided for in Article 49 GDPR.
Step 3 – assess effectiveness of the safeguards of the transfer tools you are relying on
Ensuring the protection of personal data includes not only the right choice of an appropriate legal instrument allowing for such a transfer, but it must also guarantee that the proper level of personal data protection is maintained in a practical manner in the context of your specific transfer. Your assessment should be primarily focused on third country legislation that is relevant to your transfer, but also take into consideration elements such as sector in which the transfer takes place, the purposes for which the data is transferred and processed and others.
An important element of the assessment, in this step, is the use of Recommendation 2/2020 on European Necessary Guarantees for surveillance measures (EEG), also recently issued by the EDPB. For further information on the Recommendation 2/2020.
Step 4 - identify and adopt supplementary measures
This step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. Among supplementary measures could be technical measures to strengthen the overall level of protection, e.g. by creating obstacles or hampering attempts by public authorities to gain access to personal data. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases you must avoid, suspend or terminate the transfer.
Step 5 - take any formal procedural steps the adoption of your supplementary measure may require
You may need to consult your competent supervisory authorities on some of the formalities.
Step 6 - re-evaluate at appropriate intervals the level of protection afforded to the data you transfer
The principle of accountability requires continuous vigilance of the level of protection of personal data. That’s why you must monitor if there have been any developments that may affect it.
For more guidelines on data transfer to third countries, feel free to get in touch with the Penteris IP&DP team.
By Maria Skwarcan, Junior Associate, Penteris