RegSol Blog

International Transfers of Personal Data to Third Countries: What to do

December 2020

The European Court of Justice had struck down the US Privacy Shield earlier this year, thereby making personal data transfers to the US and Non EEA countries under this agreement unlawful. This left another option open to transfer data internationally- the European Commission- Standard Contractual Clauses (“SCCs”). SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR. However, the ECJ ruled that use of the SCCs alone did not automatically ensure an adequate level of data protection for GDPR purposes and that “supplementary measures” may be required. This was a significant change and one that created confusion and concern for many companies, large and small. On November 10, 2020, the European Data Protection Board released its Recommendations to help manage the situation and we’ve outlined key points to help you navigate the document, a link is attached below:

  • First and foremost, identify whether you make international transfers of data, including any onward transfers. Records of processing (Article 30 GDPR records) can be useful to tracking where your data goes from automated storage and cloud providers to marketing tools.
  • Check where the data transfers go to. Check if there are third countries that you may send data to that are not deemed adequate by the European Commission and then identify the transfer mechanisms you are relying on to allow data to be transferred (SCCs or Binding Corporate Rules for example).
  • Assess whether the protections in place to transfer data internationally is effective. Companies must consider whether the controls they have in place provide an effective level of protection for personal data in practice, by establishing a level of protection in the third country that is essentially equivalent to that guaranteed in the EEA.
  • Adopt Supplementary Measures, where necessary. These measures can be contractual, technical or organizational in nature.

European Data Protection Board Recommendations Document

By: Judy de Castro