Following the Schrems II decision, on November 10th, 2020, the EDPB issued six-step approach recommendations on measures that supplement transfer tools to ensure compliance with the EU level of personal data protection. The EDPB Recommendations are intended to help organizations in meeting the requirements established by the CJEU in Schrems II. Unfortunately, the Court in Schrems II did not provide specific supplementary measures. Therefore, the EDPB Recommendations are the most important source of guidance on how to lawfully transfer data. The EDPB recommends organisations follow six steps to transfer personal data to third countries outside of the EEA: Step 1 – Know your data transfers, Step 2 – Identify the transfer tools you are relying on, Step 3 – Assess whether Art. 46 of the GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer, Step 4 – Adopt supplementary measures, Step 5 – Formal procedural steps, and Step 6 – Re-evaluate at appropriate intervals. To rely on the SCCs, the EDPB essentially requires organizations to implement specific technical measures, such as encryption.[1]
In order to ensure lawful data transfer for companies, it is first necessary to review the data processing in relation to the transfer to third countries (non-EEA countries). In case of an adequacy decision, data transfer to the third country can be carried out. If this is the case, companies should verify the existence of an adequacy decision. If there is not an adequacy decision, companies should assess and decide which transfer mechanism would provide the best solution to their situation. Companies should review the chosen mechanism in terms of a substantially equivalent level of protection. Whichever mechanism is chosen, it needs to be assessed on a case-by-case basis whether personal data transferred to a third country are subject to a level of protection substantially equivalent to that of the EU in terms of restricting monitoring that allows the authorities access to personal data. If the review of the protection mechanism indicates that it alone cannot ensure a substantially equivalent level of protection, additional measures must be taken. Additional measures can generally be implemented at the technical, organizational and/or legal levels. Article 49 GDPR contains exceptions to the prohibition on transfers to third countries without an adequate level of data protection, and companies should also check whether their data meets one of these exceptions. A record of processing activities shall be prepared in a detailed and diligent manner so that the supervisory authority can verify compliance. This is important for the fulfilment of transparency obligations. The obligation to notify the supervisory authority (if any) must be fulfilled immediately if the data transfer continues even though the level of protection in the third country is found not to be substantially equivalent.
Taking into account the EDPB recommendations, companies choosing the SCCs transfer mechanism should apply the following criteria:[2]
1) Use strict data minimisation to ensure that only the information required for processing is transferred to the third country.
2) Completely de-identify and encrypt data sent to a third country (both in transit and at rest encryption),
3) Keep the encryption and pseudonymisation keys in the EU/EEA under the legal, organizational, and technical control of a non-FISA EU party (or other surveillance regimes),
4) Consider multi-party encryption and processing (eg, multi-party homomorphic encryption),
5) Put in place a comprehensive (ISMS) such as ISO 27001,
6) Include all of these measures in Annex III of the SCC. Furthermore, organizations must pay close attention to the new ISO 27701, the most recent international standard for data privacy and information management in the ISO 27000 series. It is a certified extension of ISO 27001 that aims to assist organizations in meeting GDPR requirements when implementing a comprehensive privacy information management system (PIMS).
[1] European Data Protection Board, Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0 Adopted on 18 June 2021.
[2] Corrales Compagnucci, Marcelo and Aboy, Mateo and Minssen, Timo, Cross-Border Transfers of Personal Data after Schrems II: Supplementary Measures and New Standard Contractual Clauses (SCCs) (October 27, 2021), Page 11.