Following the recent judgment C-311/18 (Schrems II), most of us were looking forward to further guidance from European data protection authorities on how to address international data transfers to third countries, particularly to the US after the invalidation of Privacy Shield, as well as other territories with strict surveillance laws. In this regard, the EDPB has finally issued the much-awaited recommendations on supplementary measures to ensure compliance when transferring personal data to third countries, open for public consultation until 30 November 2020.  

Throughout this document, the EDPB outlines the steps that organisations, as exporters, should take and assess when transferring personal data:

1. Mapping all their transfers, knowing what data is imported and exported. In line with the “data minimisation” principle, organisations must prove that the transferred data is limited to what is necessary in relation to the purposes for which it is transferred to in the third country.

2. Verify the transfer tool the organisations’ transfer relies on. The most common tools are: (i) standard contractual clauses; (ii) binding corporate rules; (iii) codes of conduct; and (iv) certification mechanisms.

3. Assess, where necessary jointly with the importer, if there is legislation or practice of the third country that may interrupt the effectiveness of the safeguards of the transfer tools organisations are relying on. Where appropriate, the importer should provide the exporter with the relevant information relating to the third country in which it is established and the laws applicable to the transfer. Although exporters’ assessment must be based on legislation publicly available, it is important to point out that in some situations this may not be sufficient as the legislation in the third countries may be absent. In this case, the EDPB states that the exporter should look into other relevant and objective factors and not rely on subjective ones such as the likelihood of public authorities’ access to exporter’s data in a manner not in line with EU standards.

4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. The EDPB lists a non-exhaustive examples of measures. These can be broken down into three groups:

4.1. Technical measures, such as transfer of pseudonymised data and encrypted data, or transferring data to an importer in a third country specifically protected by that country’s law, e.g., for the purpose to jointly provide medical treatment for a patient. In addition, the EDPB covers some scenarios in which no effective measures could be found, one is transferring data to cloud services providers or other processors which require access to data in the clear and another scenario takes place in case of remote access to data for business purposes.

4.2. Organisational measures including, for instance, internal policies, especially with groups of enterprises; document and record the requests for access received from public authorities and the response provided; or adoption of strict data security and data privacy policies, based on EU certification or codes of conducts, international standards and best practices.

4.3. Additional contractual measures, such as providing for the contractual obligation to use specific technical measures; ensuring compliance with the transparency principle; or conducting audits by the exporter of the data processing facilities of the importer, among others.

5. Take any formal procedural steps the adoption of the organisations’ supplementary measure may require, depending on the transfer tool they are relying on.

6. Monitor, on an ongoing basis, developments in the third country, which is not a Member State of the EEA, to which the company has transferred personal data that could affect their initial assessment of the level of protection and the decisions taken on data transfers. This will fall under the accountability principle.