Data Protection for Organisations
International Transfers of Personal Data
Definition of International Transfer:
The IDPC encourages controllers and processors to conduct a careful assessment of specific circumstances of each processing activity, taking into account the definition of international data transfer.
In the light of the findings in the CJEU Judgment of 6 November 2003, Bodil Lindqvist, C-101/01 - there are three cumulative criteria that qualify a processing activity as an international transfer, as follows:
1) A controller or a processor is subject to the GDPR (“General Data Protection Regulation”) for the given processing.
2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
3) The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
The criteria are set out in the recently adopted (for public consultation) EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.
Important to note that, even though Chapter V regulates transfers of personal data to third countries or international organisations, the definition above clearly evidences that it is not required that the data flows from a Member State in European Union to a third country. In accordance with data protection law, simply making data available to a separate entity abroad may constitute international data transfer, should the criteria above apply.
Necessary safeguards:
According to the GDPR, the general principle for international data transfers is that personal data protected under EU law continues to be protected by appropriate safeguards when transferred to a third country.
The data exporter must ensure that the level of protection of natural persons, which is guaranteed by the GDPR, is not undermined. Therefore, the GDPR does not hinder international transfers, though it requires adequate measures to ensure that personal data retains the same level of data protection.
Chapter V of GDPR provides a range of measures that may be used to safeguard an adequate level of data protection.
Adequacy Decision
According to Article 45 GDPR, no safeguards are required when the European Commission conducts a thorough assessment and determines that a country outside the EU offers an adequate level of data protection. This is a procedure named “Adequacy Decision” with the effect that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to such an adequate country. In this case, the international transfer will be assimilated to intra-EU transmission of data.
The European Commission has so far recognised the following list of countries as providing adequate protection (“adequate countries”): Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the Law Enforcement Directive, and Uruguay. For more information, visit the European Commission’s website.
Where the international transfer is made to a non-adequate country, such transfer is deemed to be subject to appropriate safeguards, in terms of Article 46 GDPR.
Exporters are provided with a diversified toolkit of mechanisms to safeguard international transfers: standard contractual clauses, binding corporate rules, certification mechanisms, codes of conduct, etc.
Binding Corporate Rules
“Binding corporate rules” (BCR) were designed to ensure the compliance of international transfers throughout a group of undertakings or enterprises. As explained in Article 47 GDPR, the approval of such BCR is made in accordance with the consistency mechanism, and will involve several supervisory authorities, particularly if the group applying for the BCR is established in more than one EU Member State.
In addition, BCR should include all general data protection principles and enforceable rights to ensure an adequate level of data protection. Every member concerned of the group should be legally bound to comply with such rules.
Standard Contractual Clauses
Amongst the transfer mechanisms stipulated by law, exporters may use “Standard contractual clauses” (SCC) as an appropriate safeguard. The SCC may be used as a ground for international transfers as long as the set of clauses provides an essentially equivalent level of protection.
On 4 June 2021, the European Commission issued modernised model contract clauses that might be used to ground data transfers from controllers or processors subject to the GDPR to an importer established in a non-adequate country.
You may find the Commission’s latest version of such models of SCC on the following hyperlink: European Commission Standard Contractual Clauses SCC.
Supplementary measures:
On top of that, any entity exporting personal data may be required to adopt additional measures that supplement transfer tools in order to ensure compliance with the EU level of protection of personal data. This approach is in line with the judgment C-311/18 (“Schrems II”) of the Court of Justice of the European Union (CJEU).
Therefore, besides identifying an appropriate basis to legitimise the transfer operation, exporters are advised to adopt supplementary measures that are necessary to bring the level of protection up to the EU standard of essential equivalence.
In this regard, EDPB Recommendations 01/2020 state the following: “You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and the transfer tool you are relying on and you will be held accountable for the decision you take”
For further information on supplementary measures, you are encouraged to visit the IDPC publication on supplement transfer tools recommendations.