Blog
Blog » HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
25 November 2020
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.
Step 1 – Transfer mapping
The first step seems pretty evident: you can only transfer personal data to non-EEA countries in a GDPR-compliant way if you know your data transfers like the back of your hand.
Here, the EDPR reminds the data exporters that not only “hard-core” data transfers should be taken into account as in certain cases cloud storage or remote access to personal data may be considered as a data transfer, too.
Further, one should not forget about onward transfers since it can be the case that the processor to whom you transmit personal data, transfers it to another organization in another third country.
Step 2 – Chose a transfer tool
After mapping all the third-country data transfers, you should identify the transfer tools set forth by the GDPR you are relying on.
The ace of the transfer tools are the so called adequacy decisions, like the Privacy Shield was on case of the U.S. If such adequacy decision is existing, you can relax as you do not need to do the further steps, except checking regularly whether the adequacy decision is still valid.
If you are less fortunate, you need to search for another transfer tool which can be the following:
- standard contractual clauses (SSCs),
- binding corporate rules,
- codes of conduct,
- certification mechanisms,
- ad hoc contractual clauses.
If none of the above is available for you, you can still try to rely on the derogations provided by the GDPR (e.g. the vital interest of the data subject). However, the EDPB emphasized that these derogations have an exceptional nature as they can only be used in case of occasional and non-repetitive transfers.
Step 3 – Assess the effectivity of the transfer tool
In case you can neither rely on an adequacy decision, nor on a derogation, then you shall assess if there is anything in the law or practice on the third country that might impinge on the effectiveness of the appropriate safeguards of your transfer tool. For example, US’ mass surveillance programs could be considered as such.
The EDPB provides some practical guidance which factors should be taken into account when considering the effectiveness. Without being exhaustive such factors are the purposes of the data transfer, the sector in which the transfer occurs or the categories of the transferred data. It is important to note that subjective factors such as likelihood of the access by public authorities should not play a role in the assessment.
The EDPB recommends documenting the results of the assessment as a data controller can be held accountable for the decisions made based on the assessment.
The assessment may have two different outcomes which envisages your further obligations: either you consider that the transfer tool in itself is effective in which case just need to re-evaluate regularly or you came to the conclusion that the transfer tool is not effective in itself and you need to adopt supplementary measures (see Step 4).
Step 4 – Supplementary measures
If the transfer tool will not provide the required level of protection for personal data in itself, the data exporter shall adopt supplementary measures to support the effectiveness of the appropriate safeguard. The EDPB lists the supplementary measures into three categories: technical, contractual and organizational measures. According to the EDBP combining these measures in a way that they build on each other may contribute to reaching EU standards.
Technical measures can be for example state-of-art encryption technics or pseudonymisation where the personal data is transferred in such a manner that it can no longer be attributed to a specific data subject. Contractual measures include contractual clauses by which for instance the data importer certifies that it has not purposefully crated back doors that could be used to access the personal data. Organizational measures as an example may be adequate internal policies with clear allocation of responsibilities for data transfers.
It should be noted that in case the transfer tool together with the supplementary measures still not ensures the adequate level of data protection, then the data exporter must not start the data transfer or must stop the ongoing data transfers to that specific third country.
Step 5 – Procedural steps
In case your chosen transfer tool combined with the supplementary measures seems to give you a green light for the specific data transfer, you still might need to do some formal procedural steps.
For example, if you would rely on standard contractual clauses as a transfer tool but you intend to modify them or your chosen supplementary measures contradict the SSCs, you shall seek the authorization of the competent supervisory authority.
Step 6 – Re-evaluate
Even if you have the appropriate transfer mechanism in hand, you cannot lean back for good.
In accordance with the accountability principle of the GDPR you must re-evaluate at appropriate intervals the level of data protection in your destination country and monitor if there have been or there will be any developments that may affect it.
Summary
To sum up the above, non-EEA data transfers require special attention and well-planned strategy especially these days when transfers to the United States and to the United Kingdom are not that simple anymore.
-
WE ARE 15!
Recently we celebrated our 15th Anniversary, which is a very important milestone for us. Looking back, our Office went through a long improvement until the formation of our present profile: providing legal support in domestic and international commercial law issues and helping our clients doing business in Hungary.
Read more » -
When should employers pay the consideration for non-compete obligation in Hungary?
The Hungarian Labour Code does not specify the due date of the consideration for non-compete obligation, which resulted in legal uncertainty. Based on the recent case law, the judiciary filled this gap with legal interpretation. In our article we summarize this recent development in Hungarian labour law practice.
Read more » -
ARBITRATION PROCEEDINGS IN HUNGARY
The Hungarian arbitration procedure, compared to the Hungarian state court procedure, is much simpler, less formal. However, it is still necessary to know these simpler procedural rules, to conclude the dispute successfully. Consequently, we summarize below the most important procedural principles and rules based on the Hungarian Arbitration Act and on the Rules of Procedure.
Read more »