GUIDELINES FOR PERSONAL DATA TRANSFER FROM EEA TO NON-EEA COUNTRIES (eg. USA, UK)
As it is known, on July 16, 2020 the Court of Justice of the European Union issued a judgement no. C-311/18 (known as Schrems II) and disabled the Privacy Shield Framework – the most used mechanism for personal data transfers between the European Union and the United States. Disabling of this mechanism raised the issue of the transfer of personal data to the countries not belonging to the European Economic Area (EEA).
In this regard on November 10, 2020, the European Data Protection Board (EDPB) adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data – which contains a set of rules for how to transfer personal data outside of the European Union. According to these Recommendations there are several steps that you, as exporter of personal data, need to follow:
STEP no. 1: Mapping transfers of personal data (“Know your transfers”)
As an exporter of personal data to the third (non-EEA) countries, you must know your transfers, i.e. you have to mapp your data transfers. This may not be easy as it seems, peculiarly if you use a lot of processors and sub-processors, but it is first step you need to take in order to fulfil your obligations following one the main principles of accountabillity prescribed by General Data Protection Regulation (GDPR).
STEP no. 2: Identifying the transfer tools you are relying on
After Step no.1, the next step that you need to take is to identify and choose a transfer tools according to the Chapter V of GDPR. The mantioned transfer tools are:
- Adeqacy decision – a decision adopted by European Commission which establishes that a non-EU country ensures an adequate level of protection of personal data. If there is an adequacy decision you do not need to take any further steps, except monitoring whether relevant decisions are still valid, or they are revoked or invalidated. For now, only several countries have been recognized as countries that provide adequate level of data protection (Andorra, Argentina, Uruguay, Switzereland, Canada, Israel, Isle of Man, Japan, Faroe Islands, Jersey, New Zelend, Guernsey, while with South Korea adequacy talks are ongoing).
- If there is no adequacy decision, data transfer could be possible on the basis of:
– standard conractual clauses (SSCs);
– binding corporate rules;
– codes of conduct;
– certification mechanisms;
– ad hoc contractual clauses.
Please note that, according to these Recommendations, “whatever transfer tool you choose, you must ensure that the transferred personal data will have the benefit of an essentially equivalent level of protection.“
Besides adequacy decisions and other transfer tools, you can be able to transfer personal data based on derogation listed in Article 49 of the GDPR which has exceptional nature and must be interpreted restrictively.
STEP no. 3: Assess whether transfer tool you are relying on is
effective in light of all circumstances of the transfer
If you choosed one of the mationed transfer tools, this is not the end of your effort, because you need to undertake a Step no. 3, i.e. you should access whether the tool you are relying on is effective in light of all circumstances of the transfer. So, in accordance with the Reccommendations, you are still required to assess if there is anything in legislation or in practice of the third (non-EEA) country that may have a negative impact on the effectiveness of the safegurads of the choosen transfer tool you relied on.
STEP no. 4: Adopt supplementary measures
If the third (non-EEA) legislation impinges on the effectiveness of the chosen transfer tool you are relying on, you are obliged to undertake a Step no. 4 – to identify and adopt supplementary measures. The purpose of these measures is to ensure that the personal data tranferred in non-EEA country have an adequate level of protection.
These measures could be technical (for example encryption, pseudonymization), or contractual and organzational (such as adoption of internal policies).
So, in this situation you can combine a different supplementary measures in order to increase the level of data protection.
STEP no. 5: Procedural rules
After you identify and choose supplementary measure, you may be obliged to undertake some formal procedural steps. For example, if supplementary measures you have choosed are not in accordance with the Standard data protection clauses (SCCs) you will be obliged to request an authorisation from the competent SA (supervisory authority).
STEP no. 6: Re-evaluate at appropriate intervals
You, as the exporter of personal data, are obliged to continuously monitor the development of the situation in the third country to which the personal data were tranferred. This obligations is a Step no. 6 prescribed by these Reccommendations. For example, if the supplementary measures are no longer effective in that non-EEA country, you will be obliged to promptly suspend or end transfers in such country.