European Data Protection Board guidance on data transfer tools

By Robert Bond

Robert Bond (robert.bond@bristows.com) is Senior Counsel & Notary Public at Bristows LLP in London, UK.

On June 18, 2021, the European Data Protection Board (EDPB) published updated guidance on the Court of Justice of the European Union’s Schrems II decision.[1] Its guiding principle is that any personal data transferred must be provided with an “essentially equivalent” level of protection, and the controller or processor transferring the data should ensure this essential equivalence is achieved.

The six-step process

The guidance sets out a six-step process for relying on the standard contractual clauses (SCCs) and, in Annex 2, provides examples of “supplementary measures” that could be implemented. Note that, in order to meet the General Data Protection Regulation (GDPR) accountability requirements, each of these steps would need to be documented, and this documentation must be provided to the supervisory authorities on request.

  1. Know your transfers: Understand what data you are transferring outside the European Economic Area, including by way of remote access.

  2. Identify your transfer tool(s): Identify what lawful mechanism you are relying on under GDPR to transfer the data.

  3. Assess whether the transfer mechanism is effective in practice: This requires exporters to consider whether anything in the local law potentially thwarts the protection supposedly offered by the SCCs. The EDPB recommends considering multiple aspects of the third country’s legal system but in particular the rules granting public authorities rights of access to data. Most countries allow for some form of access for law enforcement and national security, so the assessment should focus on whether those laws are limited to what is necessary and proportionate in a democratic society.

  4. Adopt supplementary measures: If your assessment of the local law at Step 3 is that SCCs alone would not be sufficient, then you must adopt supplementary measures to protect the data. The EDPB separates potential supplementary measures into three categories: technical, contractual, or organizational.

  5. Procedural steps if you identified any supplementary measures: This step is only applicable if your supplementary measures contradict the SCCs (hopefully they won’t), so it seems a bit of a red herring.

  6. Reevaluate at appropriate intervals: Monitor developments in the recipient country that could affect your initial assessment. The obligations on the data importer under the SCCs should help here, as it is required to inform the data exporter of a change of law that affects its ability to comply with the SCCs.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings