EDPB (European Data Protection Board) brings new light upon the recent decision of the CJEU (The Court of Justice of the European Union), named C-311/18 Schrems II (after the Austrian activist Max Schrems), which clarifies the transfer of personal data to third countries and continues to validate the standard contractual clauses.
The CJEU emphasizes once again that data exporters are primarily responsible for verifying if the laws and practices of the third countries are affecting the protection measures adopted under Article 46 GDPR (The General Data Protection Regulation). Moreover, according to EDPB, ‘’the Court leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law.’’
Therefore, for exporters (data controllers, processors, private entities, etc.), EDPB offers a series of recommendations adopted on the 10th of November 2020 that could be implemented to ensure compliance with the EU level of protection of personal data.
First step: know your transfers. This is an essential step in the compliance process. GDPR requires mapping all the personal data transfers to third countries as well as their limitation to what is necessary. ‘’You must know where the personal data you exported may be located or processed by the importers (map of destinations)’’.
Secondly, you must verify the transfer tool you are relying on. If, according to Article 45 GDPR, the region to which you are transferring the data is considered appropriate, there are no additional actions required, apart from making sure that the adequacy decision for the specific area/sector remains valid, as EDPB recommends.
In the absence of adequacy decisions, Article 46 GDPR is providing a list of tools which can be used by exporters containing ‘’appropriate safeguards’’: standard data protection clauses clauses (SCCs); binding corporate rules (BCRs); codes of conduct; certification mechanisms; ad hoc contractual clauses.
The third step involves assessing the law and the practice of the third country. When selecting a transfer tool according to Article 46 GDPR, you must make sure that the transfer tool is ‘’effective in practice’’.
‘’Effective means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA.’’
The Recommendations 01/2020 formulated by the EDPB lists several criteria to offer guidance to the exporters when carrying out a detailed assessment. The aim is to help exporters to ensure that all the details are considered when transferring to a third country.
Among them we mention: the collaboration between the exporter and the importer regarding the exiting legislation and practices in the third country that could affect the safeguards of the transfer tool, the analysis of all those who are manipulating data in the transfer (e.g.: controllers, processors and sub-processors) and also taking in consideration the particular laws that could grant public authorities powers of access to personal data (for criminal law enforcement, regulatory supervision etc.)
The fourth step is about identifying and adopting supplementary measures. When using a specific transfer tool and your assessment reveals that it is not effective, EDPB recommends the adoption of additional measures. ‘‘In principle, supplementary measures may have a contractual, technical, or organisational nature. Combining diverse measures in a way that they support and build on each other may enhance the level of protection and may therefore contribute to reaching EU standards.’’
Step five presents the procedures you must follow when you adopt an effective supplementary measure, this could differ depending on the transfer tool you are using.
Finally, the sixth step recommended by the EDPB urges to re-evaluation of the level of protection at appropriate intervals. It is thus recommended to constantly monitor the evolution in the third country where you transferred the personal data. You must stop/suspend transfers when the importer violates the commitments made under Article 46 GDPR or the supplementary measures no longer work in that country.
‘’The GDPR lays down rules on processing personal data in the EEA and in doing so allows for free movement of personal data within the EEA. Chapter V of the GDPR governs transfers of personal data to third countries and sets a high bar: the transfer must not undermine the level of protection of natural persons guaranteed by the GDPR (Article 44 GDPR). The CJEU C-311/18 (Schrems II) judgement underscores the need to ensure the continuity of the level of protection afforded under the GDPR to personal data transferred to a third country.6’’