EDPB Recommendations explained to ensure compliance after Schrems II

Nov 20, 2020 12:00:00 AM | International Data Transfer EDPB Recommendations explained to ensure compliance after Schrems II

16 July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield in the Schrems II case, making most EU-US data transfers illegal overnight. The Court has also provided clarification on some extensive hurdles for using its most obvious alternative, Standard Contractual Clauses (SCC). Organizations have to:

'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.' 

With 88% of organisations sharing data outside the EU relying on model contracts to ensure safe processing. The EDPB further highlighted that the Schrems II judgment applies to other transfer mechanisms as well, making  the load on organisations even heavier.

In response to the case, on 11 November 2020 The European Data Protection Board (EDPB) announced that it had adopted two recommendations. One with a step-by-step plan and measures that supplement transfer tools such as SCC to ensure compliance with the EU level of protection of personal data. The other on European Essential Guarantees (EEGs) - standards to ensure that national surveillance measures would not inappropriately impede upon the rights to privacy during international data transfers. The recommendations are available for public consultation until 30 November 2020. 

PrivacyPerfect aims to clarify the recommendations and give you practical insight on how to keep your data transfers compliant.

6-step roadmap for compliant data transfers

1. Know your transfers
  • Utilize your art 30 GDPR register of processing activities.
  • Take into account onwards transfer of personal data to third parties, such as storage outside the EEA or cloud hosting.
  • Take into account that access to personal data such as by employees working from home outside the EEA, or a help desk outside the EEA counts as a transfer.
  • Verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country (data minimisation).
2. Identify the transfer mechanism you are relying on
  • Adequacy decisions
  • Article 46
    • SCC
    • Binding Corporate Rules (BCR)
    • Codes of conduct
    • Certification mechanisms
    • Ad hoc contractual clauses.
  • Article 49 derogations for processing activities that are occasional and non-repetitive
3. When relying on an Article 46 GDPR mechanism, assess whether it is effective in light of all circumstances of the transfer
  • Consider the circumstances, for instance 
      • Actors, such as processors or sub-processors, involved in the transfer
      • Purposes for which the data are transferred
      • Types of entities involved in the processing (public/private, controller/processor)
      • Sector in which the transfer occurs (health, financial, etc.)
      • The categories of personal data transferred
      • Storage in the third country or if there is only remote access
      • Format of the data to be transferred (pseudonymised, encrypted, etc.)
      • Possibility of onward transfers
    • Assess laws (particularly those regulating actions of public authorities) and practice of the third country. Among others:
      • Article 45(2) GDPR
      • The EDPB’s EEG Recommendation for justifiable access to data by public authorities
        • Guarantee A - Processing based on clear, precise and accessible rules
        • Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
        • Guarantee C - An independent oversight mechanism 
        • Guarantee D - Effective remedies need to be available to the individual
  • Sources you may use for your assessment
      • Cooperation with the data importer
      • Case-law of the CJEU and of the European Court of Human Rights (ECHR);
      • Adequacy decisions in the country of destination if the transfer relies on a different legal basis;
      • Resolutions and reports from intergovernmental organisations, such as the Council of Europe, other regional bodies, and UN bodies and agencies (e.g. UN Human Rights Council, Human Rights Committee);
      • National case-law or decisions taken by independent judicial or administrative authorities competent on data privacy and data protection of third countries; and
      • Reports from academic institutions, and civil society organisations (e.g. NGOs and trade associations).
  • Assessment outcomes
    • Where you find that essentially equivalent protection may not be provided it is the responsibility of the data exporter to either utilise the supplementary measures of step 5 or to not transfer personal data.
    • Where you find that essentially equivalent protection is provided, re-evaluations and monitoring should take place as described in step 6.

4. Adopt supplementary measures
  • Consider on a case-by-case basis
    • the format of the data
    • the nature of the data
    • the length and complexity of data processing workflow (actors and their relationships)
    • the possibility that the data may be subject to onward transfers
  • May include a combination of technical, organisational, or contractual measures
    • Organisational and contractual measures alone might not be sufficient
  • Must be checked against the findings from steps one to three
  • The EDPB gives example measures and conditions for their effectiveness in annex 2 of its Recommendations, for instance 
    • Technical: state-of-the-art encryption, appropriate handling of cryptographic keys, pseudonymisation, separating information, and thorough preparation against cryptanalysis
    • Organisational and contractual: contractual obligations for technical measures /transparency/specific actions/data subject rights, internal governance policies, especially within enterprise groups, accountability measures such as transparency reports, data minimisation, adoption of standards and best practices, regular reviews, and data importer commitments.
  • Where measures are not effective, you should contact the competent supervisory authority.
5. Procedural steps if you have identified effective supplementary measures
  • SCC
    • Where the SCC are to be modified, or where supplementary measures directly or indirectly contradict the SCCs, authorisation must be sought from the competent supervisory authority.
  • BCR & Ad hoc contractual clauses
    • The precise impact of the Schrems II judgment is still under discussion. The EDPB will provide more details as soon as possible
6. Re-evaluate on ongoing basis at appropriate intervals
    • Suspend transfer if 
      • the importer has breached commitments
      • supplementary measures are no longer effective