Blog » HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
25 November 2020
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.
Step 1 – Transfer mapping
The first step seems pretty evident: you can only transfer personal data to non-EEA countries in a GDPR-compliant way if you know your data transfers like the back of your hand.
Here, the EDPR reminds the data exporters that not only “hard-core” data transfers should be taken into account as in certain cases cloud storage or remote access to personal data may be considered as a data transfer, too.
Further, one should not forget about onward transfers since it can be the case that the processor to whom you transmit personal data, transfers it to another organization in another third country.
Step 2 – Chose a transfer tool
After mapping all the third-country data transfers, you should identify the transfer tools set forth by the GDPR you are relying on.
The ace of the transfer tools are the so called adequacy decisions, like the Privacy Shield was on case of the U.S. If such adequacy decision is existing, you can relax as you do not need to do the further steps, except checking regularly whether the adequacy decision is still valid.
If you are less fortunate, you need to search for another transfer tool which can be the following:
- standard contractual clauses (SSCs),
- binding corporate rules,
- codes of conduct,
- certification mechanisms,
- ad hoc contractual clauses.
If none of the above is available for you, you can still try to rely on the derogations provided by the GDPR (e.g. the vital interest of the data subject). However, the EDPB emphasized that these derogations have an exceptional nature as they can only be used in case of occasional and non-repetitive transfers.
Step 3 – Assess the effectivity of the transfer tool
In case you can neither rely on an adequacy decision, nor on a derogation, then you shall assess if there is anything in the law or practice on the third country that might impinge on the effectiveness of the appropriate safeguards of your transfer tool. For example, US’ mass surveillance programs could be considered as such.
The EDPB provides some practical guidance which factors should be taken into account when considering the effectiveness. Without being exhaustive such factors are the purposes of the data transfer, the sector in which the transfer occurs or the categories of the transferred data. It is important to note that subjective factors such as likelihood of the access by public authorities should not play a role in the assessment.
The EDPB recommends documenting the results of the assessment as a data controller can be held accountable for the decisions made based on the assessment.
The assessment may have two different outcomes which envisages your further obligations: either you consider that the transfer tool in itself is effective in which case just need to re-evaluate regularly or you came to the conclusion that the transfer tool is not effective in itself and you need to adopt supplementary measures (see Step 4).
Step 4 – Supplementary measures
If the transfer tool will not provide the required level of protection for personal data in itself, the data exporter shall adopt supplementary measures to support the effectiveness of the appropriate safeguard. The EDPB lists the supplementary measures into three categories: technical, contractual and organizational measures. According to the EDBP combining these measures in a way that they build on each other may contribute to reaching EU standards.
Technical measures can be for example state-of-art encryption technics or pseudonymisation where the personal data is transferred in such a manner that it can no longer be attributed to a specific data subject. Contractual measures include contractual clauses by which for instance the data importer certifies that it has not purposefully crated back doors that could be used to access the personal data. Organizational measures as an example may be adequate internal policies with clear allocation of responsibilities for data transfers.
It should be noted that in case the transfer tool together with the supplementary measures still not ensures the adequate level of data protection, then the data exporter must not start the data transfer or must stop the ongoing data transfers to that specific third country.
Step 5 – Procedural steps
In case your chosen transfer tool combined with the supplementary measures seems to give you a green light for the specific data transfer, you still might need to do some formal procedural steps.
For example, if you would rely on standard contractual clauses as a transfer tool but you intend to modify them or your chosen supplementary measures contradict the SSCs, you shall seek the authorization of the competent supervisory authority.
Step 6 – Re-evaluate
Even if you have the appropriate transfer mechanism in hand, you cannot lean back for good.
In accordance with the accountability principle of the GDPR you must re-evaluate at appropriate intervals the level of data protection in your destination country and monitor if there have been or there will be any developments that may affect it.
To sum up the above, non-EEA data transfers require special attention and well-planned strategy especially these days when transfers to the United States and to the United Kingdom are not that simple anymore.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »