Before conducting an international data transfer, organisations need to check the GDPR very carefully. International data transfers should not only be compliant with Chapter 5 but also with all other requirements of the GDPR (following from Article 44 GDPR). Also, in order to transfer personal data outside the EU, organisations need to follow the layered approach of the European Data Protection Board.
According to that approach, organisations need to check whether there is an adequacy decision for the third country. In the absence of an adequacy decision, they need to check whether appropriate safeguards are in place. Then, in the absence of appropriate safeguards, they have to check if derogations for specific situations apply. (Check our previous blog post for the general overview). This post focuses on different appropriate safeguards from article 46 GDPR.
Article 46(2) lists several mechanisms that can be deployed by the organisations:
- A legally binding and enforceable instrument between public authorities or bodies (article 46(2)(a)),
- Binding Corporate Rules (article 46(2)(b)),
- Standard data protection clauses adopted by the Commission (article Art 46(2)(c)),
- Standard data protection clauses adopted by a supervisory authority and approved by the Commission (article 46(2)(d)),
- An approved code of conduct and certification mechanism (article 46(2)(e),(f)).
A legally binding and enforceable instrument between public authorities or bodies
If there is a contract or another legally binding and enforceable instrument between public authorities or bodies then the data transfer can be conducted between the two entities. This only applies to public entities with the power of entering into legally binding arrangements.
Binding Corporate Rules
Binding Corporate Rules are useful for multinational companies since they allow for intra-organisational transfers of personal data across borders. BCRs are standards that multinational organisations create and comply with internally. They should demonstrate GDPR compliance and mirror the data protection culture of the corporations.
Organisations that are planning to adopt BCRs need to check the guidelines of the EDPB. They need to choose a Supervisory Authority (SA) in accordance with the criteria of the EDPB. That SA will, if it’s satisfied by the draft BCRs, be leading the authorisation process and validate the proposed BCRs. Organisations should bear in mind that this is a long and costly process.
Standard data protection clauses adopted by the Commission
The European Commission issued a set of standard contractual clauses that provide sufficient safeguards for international data transfers with the countries that don’t have an adequacy decision. These clauses provide technical and organisational security measures to be applied by data processors established in a third country. They serve as a model contract and will legitimise international data transfers. So, your organisation can implement these clauses within their GDPR compliance scheme*.
Standard data protection clauses adopted by a supervisory authority and approved by the Commission
Supervisory Authorities can also adopt their own standard contractual clauses which should be approved by the European Commission according to the examination procedure in Article 93(2). Organisations can follow the contractual clauses of their own supervisory authority (if there is one). Besides, organisations are also provided with the opportunity to create their own standard contractual clauses if they are authorised by their Supervisory Authorities.
An approved code of conduct and certification mechanisms
Among the many other mechanisms for international data transfers, codes of conduct and certification mechanisms can be applied by specific sectors. Recital 77 refers to the approved codes of conduct and approved certifications as a tool for demonstration of compliance by the controller or the processor. Trade unions or similar organisations representing a sector can create a code of conduct which is compliant with the GDPR.
By voluntarily signing up to a code of conduct, organisations and businesses can prove that their processing activities are in accordance with the principles of the GDPR (transparency, fairness etc.). Codes of conducts need to be approved by the Supervisory Authority of the Member State that you conduct the international data transfer from. If the processing activity involves more than one Member State, then the EDPB should provide an opinion about that code of conduct.
One of the novelties that GDPR introduced to data protection is the certification mechanism. It can be used to demonstrate GDPR compliance. The EDPB drafted guidelines on the accreditation of certification bodies under the GDPR and explains the role of the national accreditation body and the Supervisory Authority. Certifications are prepared by certification bodies or by competent Supervisory Authorities**.
As can be seen from the above-mentioned mechanisms, appropriate safeguards can provide a legitimate basis for international transfers under the GDPR. Which one offers the best alternative to your organisation totally depends on its specific needs, and therefore you will probably need specialised internal or external legal advice on how to use these.