As a follow-up to the CJEU’s Schrems II ruling, the European Data Protection Board (EDPB) adopted draft recommendations with respect to cross-border data transfers, setting new supplemental on measures and transfer tools to ensure compliance with the EU level of protection of personal data, and setting the standard guarantees for surveillance measures.
These recommendations reflect first firm approach laid down by the EDPB since the Schrems II ruling and the invalidation of the EU-US Privacy Shield, containing best practices and guidelines to ensure compliance and improving business certainty for companies and regulators.
The recommendations contain a roadmap of the steps of data exporters:
1. Map all your transfers of personal data to third countries, including sub-processor and onward transfers. To gain full awareness it is recommended to build on the records of processing activities that you may be obliged to maintain as controller or processor under Article 30 GDPR and create a map of destinations as well;
2. Verify the transfer tool your transfer relies on. It could be an adequacy decision, any of the transfer tools listed under Articles 46 (standard contractual clauses (SCCs); binding corporate rules (BCRs); codes of conduct; certification mechanisms; ad hoc contractual clauses), or as an exception for non-repetitive transfers, the Art.49 derogations;
3. Assess the law or practice of the third country provides a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA. Where appropriate, your data importer should provide you with the relevant sources and information relating to the third country. The EDPB also provides the European Essential Guarantees, which is a non-exhaustive list of elements to be assessed;
4. Identify and adopt supplementary measures to your contractual clauses. supplementary measures may have a contractual, technical or organizational nature;
5. Take formal procedural steps the adoption of your supplementary measures, including steps which may enable you to demonstrate compliance (records, authorizations from supervisory authority, etc.); and
6. Re-evaluate and monitor on an ongoing basis, the level of protection in the third country to which you have transferred personal data.
The recommendations also contain a non-exhaustive list of supplementary measures that rely on best practice cases and may be of great importance, to be incorporated in data processing agreements and privacy addendums. We can find recommendations with respect to the following use cases:
1. Data storage for backup purposes;
2. Transfer of pseudonymised data;
3. The data exporter wishes to transfer data to a destination recognized as offering adequate protection while the data is routed/transiting via a third country;
4. The data exporter transfers personal data to a data importer in a third country specifically protected by that country’s local law (such as for the purpose of providing a medical treatment);
5. Jointly processing by two or more independent processors located in different jurisdictions;
6. Transfer to cloud services providers which require access to data;
7. Remote access to data for business purposes.
The common for all those use cases is that all of them represent "soft" cases of data transfer and processing activities, and may reside in "gray" areas which were not clear enough for controllers by now. The elaborations on each use case may assist legal professionals in setting the proper safeguards in their controllers-processors engagement terms.
In addition, the guidelines provide new proposed provisions to be incorporated in service agreement or in their accompanied data processing agreements, which may improve SCCs or DPAs in many types of relationships. Here are some examples for those additions:
· Providing for the contractual obligation to use specific technical measures
· Add annexes to the contract with information that the importer would provide on the access to data by public authorities (including intelligence agencies).
· Add clauses whereby the importer certifies that it has not purposefully created back doors or similar programming that could be used to access the system
· Strengthen the obligation of the data importer to inform promptly the data exporter of its inability to comply with the contractual commitments as a result of changes in the third country’s legislation or practice
· In case of any order issued by public authorities for disclosing the personal data, the data importer should seek for interim measures to suspend the effects of the order until the court has decided on the merits (and not to disclose the data until the court's decision), and if needed, disclose only the minimum amount of information permissible when responding to the order.
· Personal data transmitted in plain text in the normal course of business (including in support cases) may only be accessed with the express or implied consent of the exporter and/or the data subject
Some of these provisions may be adopted immediately by some of our clients within their data processing agreements, to improve their regulatory compliance (and sometimes even ease on other excessive measures that already taken due to regulatory uncertainties).
For Israeli companies these guidelines may also be important in order to mitigate privacy risks if GDPR undertakings have been taken towards EU customers or service providers.
At this stage the recommendations submitted to the public for consultation only, but these may already assist controller-processors in data transfers and elaborates on the regulatory direction or expectations of the EDBP and other privacy supervisory authorities.
The EDPB's full text of the recommendations - here
