25 November 2020

Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.

Step 1 – Transfer mapping

The first step seems pretty evident: you can only transfer personal data to non-EEA countries in a GDPR-compliant way if you know your data transfers like the back of your hand.

Here, the EDPR reminds the data exporters that not only “hard-core” data transfers should be taken into account as in certain cases cloud storage or remote access to personal data may be considered as a data transfer, too.

Further, one should not forget about onward transfers since it can be the case that the processor to whom you transmit personal data, transfers it to another organization in another third country.

Step 2 – Chose a transfer tool

After mapping all the third-country data transfers, you should identify the transfer tools set forth by the GDPR you are relying on.

The ace of the transfer tools are the so called adequacy decisions, like the Privacy Shield was on case of the U.S. If such adequacy decision is existing, you can relax as you do not need to do the further steps, except checking regularly whether the adequacy decision is still valid.

If you are less fortunate, you need to search for another transfer tool which can be the following:

  1. standard contractual clauses (SSCs),
  2. binding corporate rules,
  3. codes of conduct,
  4. certification mechanisms,
  5. ad hoc contractual clauses.

If none of the above is available for you, you can still try to rely on the derogations provided by the GDPR (e.g. the vital interest of the data subject). However, the EDPB emphasized that these derogations have an exceptional nature as they can only be used in case of occasional and non-repetitive transfers.

Step 3 – Assess the effectivity of the transfer tool

In case you can neither rely on an adequacy decision, nor on a derogation, then you shall assess if there is anything in the law or practice on the third country that might  impinge on the effectiveness of the appropriate safeguards of your transfer tool. For example, US’ mass surveillance programs could be considered as such.

The EDPB provides some practical guidance which factors should be taken into account when considering the effectiveness. Without being exhaustive such factors are the purposes of the data transfer, the sector in which the transfer occurs or the categories of the transferred data. It is important to note that subjective factors such as likelihood of the access by public authorities should not play a role in the assessment.

The EDPB recommends documenting the results of the assessment as a data controller can be held accountable for the decisions made based on the assessment.

The assessment may have two different outcomes which envisages your further obligations: either you consider that the transfer tool in itself is effective in which case just need to re-evaluate regularly or you came to the conclusion that the transfer tool is not effective in itself and you need to adopt supplementary measures (see Step 4).

Step 4 – Supplementary measures

If the transfer tool will not provide the required level of protection for personal data in itself, the data exporter shall adopt supplementary measures to support the effectiveness of the appropriate safeguard. The EDPB lists the supplementary measures into three categories: technical, contractual and organizational measures. According to the EDBP combining these measures in a way that they build on each other may contribute to reaching EU standards.

Technical measures can be for example state-of-art encryption technics or pseudonymisation where the personal data is transferred in such a manner that it can no longer be attributed to a specific data subject. Contractual measures include contractual clauses by which for instance the data importer certifies that it has not purposefully crated back doors that could be used to access the personal data. Organizational measures as an example may be adequate internal policies with clear allocation of responsibilities for data transfers.

It should be noted that in case the transfer tool together with the supplementary measures still not ensures the adequate level of data protection, then the data exporter must not start the data transfer or must stop the ongoing data transfers to that specific third country.

Step 5 – Procedural steps

In case your chosen transfer tool combined with the supplementary measures seems to give you a green light for the specific data transfer, you still might need to do some formal procedural steps.

For example, if you would rely on standard contractual clauses as a transfer tool but you intend to modify them or your chosen supplementary measures contradict the SSCs, you shall seek the authorization of the competent supervisory authority.

Step 6 – Re-evaluate

Even if you have the appropriate transfer mechanism in hand, you cannot lean back for good.

In accordance with the accountability principle of the GDPR you must re-evaluate at appropriate intervals the level of data protection in your destination country and monitor if there have been or there will be any developments that may affect it.


To sum up the above, non-EEA data transfers require special attention and well-planned strategy especially these days when transfers to the United States and to the United Kingdom are not that simple anymore.