The EDPB (European Data Protection Board) brings new light upon the recent decision of the CJEU, named C-311/18 Schrems II. It clarifies the GDPR (The General Data Protection Regulation) transfer of data outside EU, and continues to validate the standard contractual clauses.
The CJEU (The Court of Justice of the European Union) emphasizes once again that data exporters are primarily responsible for verifying if the laws and practices of the third countries are affecting the protection measures adopted under Article 46 GDPR. Moreover, according to EDPB, ‘’the Court leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law.’’
Therefore, for exporters, the EDPB offers a series of recommendations to ensure compliance with the EU level of protection of personal data.
What are the EDPB recommendations?
First step: know your transfers. This is an essential step in the compliance process. GDPR requires mapping all the personal data transfers to third countries as well as their limitation to what is necessary. ‘’You must know where the personal data you exported may be located or processed by the importers (map of destinations)’’.
Secondly, you must verify the transfer tool you are relying on. If, according to Article 45 GDPR, the region to which you are transferring the data is considered appropriate, there are no additional actions required, apart from making sure that the adequacy decision for the specific area/sector remains valid, as EDPB recommends.
In the absence of adequacy decisions, Article 46 GDPR is providing a list of tools which can help the exporters. Here, exporters can find more about ‘’appropriate safeguards’’: standard data protection clauses clauses (SCCs); binding corporate rules (BCRs); codes of conduct; certification mechanisms etc.
The third step involves assessing the law and the practice of the third country. When selecting a transfer tool, you must make sure that the transfer tool is ‘’effective in practice’’.
”Effective means that the transferred personal data is afforded a level of protection in the third country that is esentially equivalent to that are guaranteed in the EEA.”
The Recommendations formulated by the EDPB lists several criteria to offer guidance to the exporters when carrying out an assessment. The aim is to help exporters to ensure that all the details are considered when transferring to a third country.
Among them we mention: the collaboration between the exporter and the importer regarding the legislation in the third country that could affect the safeguards of the transfer tool. The analysis of all those who are manipulating data in the transfer (e.g.: controllers, processors and sub-processors). Also taking in consideration the particular laws that could grant public authorities powers of access to personal data. Such as for criminal law enforcement, regulatory supervision etc.
The fourth step is about identifying and adopting supplementary measures. When using a specific transfer tool and your assessment reveals that it is not effective, EDPB recommends the adoption of additional measures. ‘‘In principle, supplementary measures may have a contractual, technical, or organisational nature. Combining diverse measures to support each other, may enhance the level of protection and contribute to reaching EU standards.’’
Step five presents the procedures you must follow when you adopt an effective supplementary measure, this could differ depending on the transfer tool you are using.
Finally, the sixth step recommended by the EDPB urges to re-evaluation of the level of protection at appropriate intervals. It is thus recommended to constantly monitor the evolution in the third country where you transferred the personal data. You must stop/suspend transfers when the importer violates the commitments made under Article 46 GDPR.
How Sovy can help?