The Schrems II ruling has brought new requirements for transfer of personal data to non-secure third countries outside of the EU. In the light of the ruling, the European Data Protection Board (EDPB) has published recommendations on necessary actions in order to comply with the new requirements. The recommendations were definitively approved and published on 18 June 2021.
If your company is processing personal data and you are using suppliers (data processors or sub-data processors) outside of the European Union for processing of the personal data, it is important that you familiarize yourself with the consequences of the ruling. You should investigate whether you e.g. must implement supplementary security measures to secure your data. Data processors or sub-data processors can both be large corporations such as Microsoft, Google, and Amazon, but also your smaller suppliers can be affected by the ruling.
Below, we have summarized the six steps that the EDPB have presented in their recommendations and that you ought to consider and implement if you are transferring personal data to third countries or international organisations.
1. Know your transfers
Map out and register what transfers to processors and sub-processors you are performing, including:
- Which data processors (and/or sub-data processors) data is transferred to
- The purpose of the transfers
- Categories and types of personal data that is being transferred
2. Identify the legal ground for transfer of personal data that you will be relying on
In GDPR there is a number of mechanisms for legal transfer:
- Approved contractual clauses
- An approved code of conduct or certification mechanism
- Binding corporate rules (BCR)
- Standard data protection/contractual clauses (SCC)
- Legally binding and enforceable instruments between public authorities or bodies
- Adequacy decision
- Derogations for specific situations
If you are using any of the first five mechanisms for transfer you should make an assessment of the protection level in the receiving country – see step 3.
Often, standard contractual clauses will be the most relevant mechanism for transfer to a data processor or sub-data processor in a third country, e.g. the USA.
Extra info:
On 4 June 2021, the European Commission has approved a new template for standard contractual clauses for transfers to third countries (SCC). This has to be used from 27 September 2021.
When using the standard contractual clauses, you must ensure that the contracts are correctly entered into and that your company or organisation is able to comply with the requirements stated in the contractual clauses.
If you have been using the “old” SCCs, you can continue to do so until 27 December 2022 (given that the processing is unchanged)
The new SCC can be found here.
3. Evaluate if the data protection level in the receiving country correlates with the level secured within the EU
The evaluation should especially focus on whether there are laws in the receiving country that include obligations for the data importer to hand over data to public authorities or agencies or give them access to your personal data.
Additionally, the evaluation should pay attention to both the legislation in the receiving country, as well as the practical implications of the law (se extra info below).
If the evaluation leads to the conclusion that the protection level in the receiving country does not substantially correspond to the level of protection secured within the EU, you must implement supplementary safeguards – see step 4.
Transfer Impact Assesment (TIA)
If you are using the new standard contractual clauses (SCC) (see step 3), you must make a transfer impact assessment (TIA). The TIA must be made available for public authorities upon request.
The TIA should entail:
- Evaluation of the legislation and practices in the receiving third country
- The duration of the main contract
- The extent and frequency of transfers
- The type of receivers
- The character of the information being transferred
Extra info:
In the finalized guidelines from the EDPB the consideration of legal practices has been added. This means that you should not only investigate the legislation of the country, but also the legal practices affecting it, especially in the following situations:
- Where the legislation formally lives up to the European standards, but this is not being followed in practice by the authorities in the third country.
- Where the legislation in the third country is insufficient and practice is not compatible with the obligations that are stated in the transfer mechanism.
- When the transfer is covered by problematic legislation.
The guideline from EDPB can be found here.
4. Evaluate what supplementary measures to implement
Supplementary measures can be:
- Contractual, e.g. addendums to contracts on transparency or that access to data has to be approved by the data subjects.
- Technical, e.g. encryption, pseudonymisation, and split processing.
- Organisational, e.g. governance policies, employee awareness, and data minimization.
There are examples of supplementary measures related to different scenarios in the guideline from EDPB (appendix 2).
5. Implement the supplementary measures
This step entails implementing the supplementary measures to ensure a level of protection equivalent to the level provided within the EU.
6. Continuous evaluation of the receiving country and the transfer
You and the data importers must continuously evaluate developments in the receiving country that can affect the transfer. If your data importer has had a data breach or can no longer comply with the requirements, the transfer should be stopped.
Reach out to us if you need help
Remember to write down your overview, evaluations, and analysis – also if you only have one or few transfers. It is understandable if the above steps seem like a very big and cumbersome workload, especially since it is still relatively new and surrounded by a lot of questions, which makes it difficult to know exactly what to do.
Though, always remember that it is better to have done your best than not having done anything at all!
We also expect that the data protection authorities in the months to come will perform audits on the subject which will lead to greater clarity on what is actually ‘good enough’. Furthermore, it could be expected that cloud vendors will implement new initiatives to deal with transfers. Therefore, it is also important that you continuously stay updated on new guidelines and ruling so that you are able to act on new initiatives.
If you need input or advice on how to get started, please feel free to reach out to Head of IT Audit and Advisory, Anders Grønning-Kjærgaard phone no. +45 35 27 50 53 and email anders.kjaergaard@dk.gt.com or IT Auditor (CIPP/E), Camilla Immerkær phone no. +45 35 27 50 90 and email camilla.immerkaer@dk.gt.com.