The updated EDPB recommendations on supplementary measures - What’s needed for compliant transfers

Jun 24, 2021 12:00:00 AM | The updated EDPB recommendations on supplementary measures - What’s needed for compliant transfers

The European Data Protection Board (EDPB) adopted, on 18 June 2021, the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

The recommendations were first adopted for public consultation in November 2020, following the Cåourt of Justice of the European Union (CJEU) judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (Schrems II) in which it invalidated the EU-US Privacy Shield, making EU-US data transfers using the PrivacyShield non-compliant overnight. The Court also subscribed additional supplementary measures for using possible replacement transfer mechanisms, making  the load on organisations even heavier. 

The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where needed, to ensure an essentially equivalent level of protection to data transferred to third countries.

 Transfer impact assessments will be a challenging task for organisations across the board, and shouldn't be underestimated. PrivacyPerfect aims to clarify the recommendations and give you a practical step-by-step plan on how to keep your data transfers compliant.

6-step roadmap for compliant data transfers

  1. Know your transfers
  • Utilize your art 30 GDPR register of processing activities.
  • Assess (onwards) transfer of personal data to third parties, such as storage outside the EEA or cloud hosting. 
  • Take into account that access to personal data such as by employees working from home outside the EEA, or a help desk outside the EEA counts as a transfer.
  • If the cloud provider is established in the EEA, they can suffice with clearly stating in its contract that the data will not be processed at all in third countries
  • Verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country (data minimisation).
  1. Identify the transfer mechanism you are relying on
  • Adequacy decisions
  • Article 46
    • SCC
    • Binding Corporate Rules (BCR)
    • Codes of conduct
    • Certification mechanisms
    • Ad hoc contractual clauses.
  • Article 49 derogations for processing activities that are occasional and non-repetitive (‘not the rule’)
  1. Assess whether the transfer mechanism relied upon is effective in practice
  • Consider the circumstances, for instance 
  • Actors, such as processors or sub-processors, involved in the transfer
  • Purposes for which the data are transferred
  • Types of entities involved in the processing (public/private, controller/processor)
  • Sector in which the transfer occurs (health, financial, etc.)
  • The categories of personal data transferred
  • Storage in the third country or if there is only remote access
  • Format of the data to be transferred (pseudonymised, encrypted, etc.)
  • Possibility of onward transfers
  • Assess laws (particularly those regulating actions of public authorities) and practice of the third country. Among others:
    • Article 45(2) GDPR
    • The EDPB’s EEG Recommendation for justifiable access to data by public authorities
      • Guarantee A - Processing based on clear, precise and accessible rules
      • Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
      • Guarantee C - An independent oversight mechanism 
      • Guarantee D - Effective remedies need to be available to the individual
    • Practices in force are especially important when:
      • legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice
      • there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking
      • transferred data and/or importer fall or might fall within the scope of problematic legislation. 
  • Sources you may use for your assessment
  • Cooperation with the data importer
  • Case-law of the CJEU and of the European Court of Human Rights (ECHR);
  • Adequacy decisions in the country of destination if the transfer relies on a different legal basis;
  • Resolutions and reports from intergovernmental organisations, such as the Council of Europe, other regional bodies, and UN bodies and agencies (e.g. UN Human Rights Council, Human Rights Committee);
  • National case-law or decisions taken by independent judicial or administrative authorities competent on data privacy and data protection of third countries; and
  • Reports from academic institutions, and civil society organisations (e.g. NGOs and trade associations).
  • Assessment outcomes
    • Where you find that essentially equivalent protection may not be provided it is the responsibility of the data exporter to either utilise the supplementary measures of step 5 or to not transfer personal data.
      • This is especially the case when the laws: 
        • laws do not respect the essence of the fundamental rights and freedoms of the EU Charter of Fundamental Rights; or
        • exceed what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognised in EU or Member State law such as those listed in Article 23(1) of the GDPR.
    • Where you find that essentially equivalent protection is provided, re-evaluations and monitoring should take place as described in step 6.
      • Importantly, this might be the case when a 'problematic law' exists, provided that it doesn't inappropriately affect the rights 'in practice'. 
  1. Adopt supplementary measures
  • Consider on a case-by-case basis, for instance
    • the format and nature of the data
    • the length and complexity of data processing workflow (actors and their relationships)
    • the technique or parameters of practical application of the third country law 
    • the possibility that the data may be subject to onward transfers
  • May include a combination of technical, organisational, or contractual measures
    • Organisational and contractual measures alone might not be sufficient
  • Must be checked against the findings from steps one to three
  • The EDPB gives example measures and conditions for their effectiveness in annex 2 of its Recommendations, for instance 
    • Technical: state-of-the-art encryption, appropriate handling of cryptographic keys, pseudonymisation, separating information, and thorough preparation against cryptanalysis
    • Organisational and contractual: contractual obligations for technical measures /transparency/specific actions/data subject rights, internal governance policies, especially within enterprise groups, accountability measures such as transparency reports, data minimisation, adoption of standards and best practices, regular reviews, and data importer commitments.
    • Where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.
  • Where measures are not effective, you should contact the competent supervisory authority.
  1. Procedural steps if you have identified effective supplementary measures
  • SCC
    • Where the SCC are to be modified, or where supplementary measures directly or indirectly contradict the SCCs, authorisation must be sought from the competent supervisory authority.
  • BCR
    • All commitments that need to be included will be referred to in the updated WP256/257 referentials to which all groups relying on BCRs as transfer tools will have to align their existing and future BCRs.
  • Ad hoc contractual clauses
    • the Schrems II judgment has an impact and that essentially equivalent protection should be ensured.
  1. Re-evaluate on ongoing basis at appropriate intervals
  • Suspend transfer if 
    • the importer has breached, or is unable to fulfil the commitments it has taken in the Article 46 GDPR transfer tool
    • supplementary measures are no longer effective in the third country