At the landmark ruling on Schrems II this July, the Court of Justice of the European Union made it clear that the protection granted to personal data in the EEA must follow the data wherever it goes. As derives by the principle of accountability, data controllers are responsible to ensure that the third countries (all countries outside the EEA) can guarantee an essentially equivalent level of data protection as in the EEA and therefore the European Data Protection Board (EDPB) released guidelines to help you with your assessment.
The new guidelines provide the data exporters (whether data controllers or data processors) with a 6-step-assessment:
Step 1: Map all of your data transfers to third countries
In the same logic of “knowing your data” in order to protect it, the EDPB asks you to “know your transfers” in order to ensure the adequate level of protection in the destination country. Additionally, you need to make sure you comply with the data minimisation principle. So after completing the data mapping, make sure you only transfer personal data that is adequate, relevant and limited to what is necessary to achieve the purpose for which you transfer the personal data.
Tip: Remote access from a third country and storage in a cloud located outside the EEA are considered data transfers.
Step 2: Identify your transfer tool
If you will transfer the personal data to one of the countries that have been granted an adequacy decision by the EU Commission you don’t need to take any further step, since the adequate level of protection has already been assessed by the EU Commission (although the experience from Schrems I and II has shown that adequacy decisions are not a panacea and sometimes we need to question these decisions).
If the country of destination is not among the ones which have been granted an adequacy decision, you should consider the applicability of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), codes of conduct, certification mechanisms, ad hoc contractual clauses or derogations of Article 49 GDPR as possible transfer tools.
Step 3: Assess the law or practice of the third country
For this assessment, you will need to focus on the level of access the third country’s public authorities have to the data for surveillance purposes or the remedies available to data subjects granted by the third country’s surveillance laws. Read the EDPB European Essential Guarantees recommendations for more detailed guidance.
Step 4: Identify and adopt supplementary measures
If the outcome of your assessment in Step 3 was that the third country’s legal landscape cannot guarantee a level of data protection equivalent to the EU standards, then you will need to adopt supplementary measures. Firstly you will need to assess the effectiveness of the supplementary measures on a case-by-case basis, taking into consideration the laws of the third country and the transfer tool that you are relying on, among others. A supplementary measure can be encryption, pseudonymisation, other organisational measures or contractual clauses but the guidelines have specific requirements for them to be considered adequate, which you can find in Annex 2 of the guidelines. Always remember that you are responsible for assessing the effectiveness of the supplementary measure or measures you will adopt and therefore you need to be able to defend your position and document it.
Do not start the transfer if the outcome of the assessment is that it cannot guarantee a level of protection equivalent to the EU’s one. The supervisory authority has the right to suspend any such transfer and to even impose a fine.
Step 5: Take procedural steps if necessary
Once you have identified and adopted a supplementary measure, depending on the transfer tool you rely on you may need to take some additional procedural measures. The supervisory authorities have the power to review the supplementary measures and in some cases, you may have to seek authorisation.
Step 6: Reevaluate the laws of third countries frequently
As laws are not static and they can be amended at any time, make sure you are kept up-to-date with any current legislation in jurisdictions that you transfer personal data to.
A final piece of advice: Consider that some third countries’ surveillance laws may have an extraterritorial scope, so make sure you capture and document the main establishment of your processors or subprocessors in your data mapping. This will help you identify if your processor or subprocessor is subject to surveillance laws that may have extraterritorial scope and therefore an adequate level of protection may not be guaranteed for data subjects and the transfer of personal data may not be lawful.
If you’re curious to learn more on the topic, we’re doing a webinar in partnership with Data Protection World Forum next week. You can sign up here.