On 18 June 2021, the European Data Protection Board (“EDPB”) finalised recommendations on measures that supplement transfer tools in order to ensure compliance with EU level of protection of personal data. Such recommendations are an updated version of the previous draft in November 2020 which was drafted in light of the Schrems II decision. The new recommendations have been updated following public consultation and are expected to assist controllers and processors to comply with their duties to identify and implement appropriate supplemental measures where appropriate when personal data is transferred out of the EEA into third countries.
The recommendations provide a very helpful six-step guide which aims to assist organisations in carrying out a transfer impact assessment. The six steps can be summarised as follows:
- Know your transfer: this requires organisations to map all transfers of personal data to third countries. This can often be a difficult task but is necessary in order to ensure that adequate measures are put in place to afford an equivalent level of protection wherever the personal data is processed. The EDPB also recommends that transfers are relevant and limited to what is necessary.
- Identify the transfer mechanism that you are relying on: this requires organisations to identify what mechanisms are put in place to provide the necessary equivalent protection. This will generally be through: (a) an adequacy decision meaning that no further steps are required; or (b) adopting one of the transfer tools listed under Article 46 of the General Data Protection Regulation (“GDPR”) (e.g. Standard Contractual Clauses). In limited circumstances, it may also be possible to rely on the derogation rules under Article 49 of the GDPR but this should only be used if one of the conditions outlined in Article 49 are met.
- Assess whether the transfer mechanism is effective: this requires organisation to consider the law and practice of the third country to determine whether it impinges on the effectiveness of the mechanism.
- Identify and adopt supplemental measures: this requires organisations to adopt supplemental measures where the assessment carried out under step three identifies that the law or practice of the third party impinges on the effectiveness of the mechanism being relied on. The recommendations include a non-exhaustive list of supplemental measures which may be adopted.
- Take any formal procedural steps: this requires organisations to take formal steps that the adoption of the supplementary measure may require. Examples include seeking authority from competent supervisory authorities if the organisation intends to modify the SCCs.
- Continually re-evaluate: this requires organisation to be pro-active and review arrangements at interim periods to ensure that the measures are still effective in the third country.
While the recommendations provide certainty and clear guidance for organisations looking to transfer personal data outside the EEA, the level of accountability imposed on organisations is now significantly higher. In particular, step three requires a full legal analysis of not only the law but also the practice in the third-party country to determine whether it will impinge on the effectiveness of the mechanisms being relied on. This is an onerous task for all organisations and in particular for smaller organisations which seek to transfer outside of the EEA.
Moreover, such recommendations are in addition to the requirements detailed in the new SCCs, with which organisations are required to comply (read our article on the new SCCs here).
The recommendations apply to the EU GDPR transfer regime and as such they do not apply to the transfer regime set out in the UK version of the GDPR that was retained post-Brexit. However, the ICO intends to publish its own guidance and is currently consulting on its draft international transfer agreement which includes an international transfer risk assessment and tool. Good practice would be expected however to align with the EDPB’s recommendations.
How can we help?
If you have queries in relation to international data transfers, whether from the EU or the UK, or data processing arrangements, please get in touch with a member of our specialist Data Protection & Cyber Security team.
This article was co-written by Haris Saleem, Trainee Solicitor.