20 / 07 / 2021
On 16 July 2020, the European Court of Justice handed down a new and principled ruling regarding the transfer of personal data from the EU to the USA (Schrems II). Following this decision, the Privacy Shield is no longer a valid legal basis for the transfer of personal data from the EU to the USA. There have been many questions related to companies' processing of personal data and transfer to third countries in retrospect. The European Data Protection Agency has now issued guidelines regarding the problem. This is how you can make sure that the transfer is legal.
Know your transfers
As a data controller and data processor, you must map all the transfers of personal data outside the EU / EEA that either you or your sub-data processors make. It must also be determined whether service providers who are considered to be your sub-data processors make a transfer outside the EU. In addition, you must take into account that if you use an international cloud service infrastructure, such as Google, Microsoft, m.m. it is important to map whether this transfers personal data outside the EU. In addition, one must map whether a possible transfer takes place in line with the "data minimization principle". This means that the transfer must not contain more data than is necessary to carry out the processing, ie, there must be a proportionality between the transfer and what needs the processing must cover.
This is a fairly demanding job, but the first step will be to review the agreement with the individual suppliers and review the log for data transfer. In the former in particular, it will be stated whether personal data is actually transferred to third countries. A review of the log will be an assurance of whether the supplier actually acts in accordance with the agreement.
In the event that personal information is not transferred to a third country, there is also no need to review the other guidelines for the company.
Verify your transfer basis
This point means that you must ensure that the transfer basis used is sufficient to ensure the same protection that EU / EEA citizens have within the EU / EEA also when transferring to third countries. Previously, Privacy Shield was precisely this basis until 16 July 2020. However, it was determined that this was not sufficient. According to Article 46 of the GDPR, there are a number of grounds that are considered sufficient to ensure protection, such as standard contract clauses, binding business rules, etc.
However, it is not sufficient to simply assume that the basis for transfer is sufficient. In addition, it must be ensured that the transfer basis actually gives EU / EEA citizens the same protection for their personal data in third countries as they have within the EU / EEA.
Another alternative is to examine whether a decision has been made by the European Commission stating that the third country to which you are to transfer personal data has sufficient protection in line with the GDPR and thus this is to be regarded as a sufficient basis.
Assess protection in third countries
You must further consider whether there is anything in the third country's legislation or practice that may affect the effectiveness and protection that the transmission basis you use shall provide, in connection with your specific transmission. Your assessment should primarily focus on third country legislation that is relevant to your transfer and Article 46 of the GDPR, as well as whether the legislation can again undermine the level of protection. Public authorities' access to data for the purpose of monitoring should be carefully considered when the legislation regulating such access is ambiguous or not publicly available.
In the absence of legislation governing this, you should look at other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities accessing your data in a way that is not in line with EU standards.
Identify complementary measures
This step is only necessary if your assessment shows that the third country legislation affects the efficiency and protection of the transfer basis you are relying on or you intend to cover yourself in connection with the transfer.
You will be responsible for the decisions you make, including whether EU / EEA citizens have adequate protection in the transfer to a third country. You may also need to combine several additional measures. You may eventually discover that no additional measures can ensure the corresponding level of protection for your specific transmission. In such cases where no additional measures are sufficient, you must avoid, stop or terminate the transfer to avoid compromising the level of protection of personal data.
As an example of supplementary measures, technical measures are mentioned such as strong encryption of data, anonymisation of data, etc. These measures cannot be considered exhaustive and it must be considered specifically for the specific transfer whether supplementary measures are expedient to implement.
Implementation of supplementary measures
When you intend to implement additional measures in addition to, for example, standard contract clauses, it is important to ensure that clauses relating to the measures implemented do not, under any circumstances, supersede the rights and obligations arising from the transfer basis or under any under any circumstances minimize the protection to be enjoyed.
Regularly evaluate the basis and measures
Finally, you must regularly assess at appropriate intervals the protected and implemented measures of the data you transfer to third countries. And monitor if there has been or will be any development that may affect the original protection. The principle of accountability requires continuous vigilance regarding the level of protection of personal data.
The guidelines reviewed are only to be regarded as advisory, where it is important to consider specific transfers in a very specific manner.
More about this source textSource text required for additional translation information
Mathias T. Gebrmichael and John E. Nilsen