Many recent developments, one structured overview
June 2021 has been a very active month in the matter of international transfers of personal data.
In this blogpost we will give an overview of these developments with a short explanation as well as a more structured overview of the various requirements when dealing with transfers of personal data from the EEA to a third country.
With the BREXIT transition period for the UK terminating on 30 June 2021, the GDPR will no longer be applicable in the UK and the latter will become a third country.
On 28 June, the EC adopted an adequacy decision for the UK, as such deciding that the legal framework in the UK continues to be based on rules offering an equivalent level of protection for personal data, just like when the UK was a Member State of the EU.
As a consequence, personal data can continue to flow freely between the EU and the UK after 1 July 2021, without having to implement SCCs or similar protection measures under article 46 of the GDPR.
The adequacy decision is valid for a period of 4 years to begin with and can be extended depending on how the legal situation in the UK further develops.
On 16 June 2021, the EC adopted the draft adequacy decision for South Korea and launched the process for its adoption, concluding that South Korea ensures the essentially equivalent level of protection to that guaranteed under the GDPR.
Upon formal adoption of the adequacy decision, South Korea will be a safe third country for which no article 46-measures will have to be implemented. As a consequence, personal data will be able to flow freely between the EU and South Korea after the formal adoption date.
On 4 June 2021, the EC adopted the new standard contractual clauses for transfers of personal data to third countries (outside the EEA) under the GDPR. You will read more on the new SCCs further in this blog. The new SCCs replace the old SCCs that were adopted under Directive 95/46/EC.
On 4 June 2021, the EC also adopted a model agreement for processing of personal data by a processor on behalf of a controller in the EEA. If you would like to know more about the scope hereof and the advantages of using this template, we propose you read our previous blogpost).
On 18 June 2021, the EDPB launched the final version of its recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The recommendations are intended to help data exporters in lawfully transferring personal data to third countries outside the EEA by ensuring an equivalent level of protection to the personal data transferred.
Compared to the draft recommendations from November 2020, the EDPB added emphasis for some specific aspects to be dealt with in the transfer impact assessment (TIA). More specifically, the TIA should:
In addition, the EDPB stated that the recommendations may be used in relation to the new SCCs to check the local laws and practices affecting compliance with the SCCs and the possible need to implement supplementary measures.
German data protection authorities started taking joint action to enforce "Schrems II” by examining data transfers to third countries all over Germany. They do this by sending questionnaires of 5 to 10 pages in order to obtain a good understanding of how organisations comply with the international data transfer requirements. We expect supervisory authorities in other Member States to take similar enforcement actions sooner or later.
As with any international data transfer, the first step should always be to make sure that
Transfers of personal data to non-adequate third countries outside the EEA need an appropriate and valid data transfer mechanism under Article 46 (1) and (2) (c) GDPR. The new SCCs are such a valid transfer mechanism but not the only one. Binding corporate rules could, for example, also be a valid transfer mechanism within multinational organisations. In some cases they may even be more interesting, because their approval by supervisory authorities entails an assurance about the protection level in the third country.
Since the GDPR, the question regularly arose whether the SCCs are even needed if the data importer is already directly subject to the GDPR under article 3(2) thereof. The SCCs seem to suggest in their considerations that this is not the case. The EDPB is expect to bring further clarification in this respect. But even if no SCCs are needed for this scenario, there would still be a transfer of personal data requiring to consider the third step described hereafter.
Relying on the SCCs is not sufficient since we have the Schrems-II judgment, the EDPB guidance of 18 June 2021 and the (draft) new SCCs.
Organisations wanting to rely on the SCCs have an effective legal obligation to do a mapping exercise and an impact assessment of their data transfers to answer the question:
All efforts with regard to fulfilling the requirements for international data transfers should beproperlydocumented as part of the overall accountability obligation under the GDPR.
As part hereof, data exporters should always begin with a due diligence on the data importers they will rely on: will this party be able, through the implementation of adequate TOMs, to satisfy the obligations laid down in the SCCs (Clause 8)?
The new SCCs allow for more flexibility because
The new SCCs offer 4 constellations:
The new SCCs offer a modular approach, making it possible
The old SCCs were more rigidly drafted as stand-alone agreements for specific transfer constellations only.
The new SCCs incorporate elements from the Schrems-II judgment, which required additional safeguards to ensure surveillance activities from a third country do not impair data subjects rights. The SCCs (in particular the Annex relating to TOMs to ensure security of the data) provide TOMs related criteria to be taken into account by the data exporter:
Data exporters must document their transfer impact assessment (considering also the circumstances of the transfers and the laws and practices of the non-EEA third country) and provide such assessment upon request to the competent supervisory authority.
The new SCCs integrate the controller-to-processor and processor-to-sub-processor obligations resulting from article 28 GDPR, as such making a separate data processing agreement redundant in the context of international data transfers.
In assessing the appropriate level of security, the parties should take due account of:
The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
The data importer must perform regular checks to ensure a continued adequate security level.
Data subjects can enforce a number of provisions laid down in the new SCCs against both the data importer and exporter.
In case of onward transfers by the data importer the latter must comply with all safeguards of the SCCs (in particular also the purpose limitation).
Under the new SCCs, data importers will have to
The data importer (both the controller and the processor in the third country) should notify the EEA-based exporter and the competent supervisory authority of any personal data breach (accidental or unauthorised access to the data). The affected data subjects must also be notified if there is a likelihood of a high risk for them.
The new SCCs were published on 4 June 2021 and enter into force on 27 June 2021.
Until 27 September 2021, organisations can still enter into the old SCCs. The old SCCs can be relied upon until 27 December 2022.
Need help with your short or long-term compliance? Timelex can help!
Do you have a specific question or would you like support in this matter? We are happy to help. In that case, please contact a Timelex attorney.