Recommendations for transfer of personal data outside of EEA, following Schrems II decision, adopted
The European Data Protection Board has published its recommendations for supplementary measures required for international transfers of personal data. These include standard contractual clauses and recommendations on surveillance measures.
As a result of the Schrems II judgment data exporters (controllers relying on a transfer mechanism under Article 46 of the EU GDPR (to transfer personal data outside the European Economic Area)) must verify, on a case-by-case basis and in collaboration with the data importers, whether the law of the importer’s country ensures a level of protection for the personal data that is essentially equivalent to the EEA’s protections. If not, data exporters need to assess whether they can implement supplementary measures to help ensure the requisite level of protection. The new recommendations are designed to help with this process and include a six-step process outlining the steps data exporters need to take. These six steps are:
Map data transfers to be carried out, keeping in mind any onward transfers and access from a third country (for example storage in the cloud, outside of the EU)
Identify data transfer mechanisms, under Chapter V of the GDPR that will be used.
Assess whether the law or practice of the data importer’s country will stop or reduce the effectiveness of any appropriate safeguards transfer tools put in place.
Consider supplementary measures, if the recipient third country’s legislation impinges on the effectiveness of the Article 46 GDPR transfer safeguards. If this is the case data exporters must identify and adopt supplementary measures, so as to provide a standard of protection for the data that is essentially equivalent to that provided by EU law.
Take any formal steps required to adopt supplementary measures (such as seeking authorisation from a supervisory authority).
Keep data transfer arrangements under review with re-evaluations at appropriate intervals. Monitor any developments that might affect things.
The EDPB has been clear that these six steps are not set out for independent assessment but as a holistic approach.
If you would like to discuss this or your data processing agreements you can contact one of our data protection specialists here.