How to: International Data Transfers

Intro

A lot of organizations are struggling with international data transfers. Rules are strict, and companies can’t just transfer personal data from EEA data subjects outside of this region. Look at Google. Even they are in a tight spot with Google Analytics and Google Fonts after the Austrian Data Protection Authority (Datenschutzbehörde or DSB) ruled that they are in fact not compliant with the GDPR, when it comes to international data transfers. A rippling effect has started, as the French Supervisory Authority (CNIL) meanwhile issued a similar decision regarding Google Analytics.  

 

The GDPR provides these special safeguards to ensure that personal data remains protected across borders. As knowledge is power, we thought it would be useful to guide you through the different mechanisms in place to transfer personal data outside of the EEA.

The Adequacy Decision

First things first,  an adequacy decision is a formal decision made by the EU, which recognizes that another country, territory, sector, or international organization provides an equal level of protection for personal data as the EU does. If granted, you can safely transfer data to that country without extra measures. Examples of countries that received adequacy are the UK (1 July 2021) and South Korea (16 June 2021). It’s one of the mechanisms that allow organizations to transfer personal data to a third country (non-EEA). If granted, no further measures need to be taken with regard to the transfer.

 

In case no adequacy decision is granted, other mechanisms might be considered.

1. Standard Contractual Clauses

Standard Contractual Clauses (‘SCCs’) are standard sets of contractual terms and conditions that exist to protect personal data leaving the EEA. Both the exporter and the importer of personal data need to agree to these terms. As of 27 September 2021, organizations need to use the new SCCs for new contracts. Contracts that were signed before this date, which have already incorporated the old SCCs will remain valid until 27 December 2022 (provided that the processing operations that are the subject matter of the contract, remain unchanged and that the reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards). Currently, there are four modules of SCC’s issued by the European Commission directed at the transfer of personal data:

  • Controller to controller,
  • Controller to processor,
  • Processor to processor
  • Processor to controller
 

Under Article 46 of GDPR, companies should install appropriate safeguards to verify if the law in destination countries ensures a level of protection for personal data that is essentially equivalent to that in the EEA. If not, organizations must assess whether supplementary measures should be implemented. This applies to the use of SCC, but also BCR (see mechanism 2).

  • Step 1: Know your transfers. An existing Record of Processing Activities (RoPA), for instance, can be a very useful tool to analyze whether an organization has international transfers.
  • Step 2: Identify the transfer tools you are relying on.
  • Step 3: Assess whether the article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transferA TIA (Transfer Impact Assessment) needs to be done for all international transfers relying on an art. 46 safeguard.
  • Step 4: Adopt supplementary measures (
  • Step  5: Procedural steps if you have identified effective supplementary measures
  • Step 6: Re-evaluate at appropriate intervals

2. Binding Corporate Rules

For a multinational group of companies, another option would be to draft Binding Corporate Rules (“BCRs”). BCRs are legally binding, internal rules and policies for data transfers within a group of companies, allowing the transfer of personal data from the EEA to affiliates located outside of the EEA in compliance with GDPR. BCRs must be approved by the lead supervisory authority, following an opinion of the EDPB.

3. Article 49 derogations

In accordance with article 49 GDPR certain types of data transfers can be executed in accordance with specified derogations. It must be underlined however that these must be treated as what they are, namely ‘derogations’ or ‘exceptions’. This means that derogations can only be applied as an exception to the rule. They must be interpreted restrictively, can only relate to processing activities that are occasional and non-repetitive. Moreover, they must take place in accordance with the conditions that are foreseen for them.

4. Codes of Conduct and certification mechanisms

Code of Conduct is a (new) instrument of the GDPR. It helps companies meet their operational compliance needs. These codes help organizations ensure that they’re following the best practices, specifically for the sector in which they operate.  It’s a reminder of the company’s obligations towards its data subjects.

5. Storage and processing of personal data within the EEA

Last but not least companies should consider re-evaluating their international transfers outside the EEA and determine whether these transfers are really necessary (i.e. is there a possibility to replace them with an EEA alternative?) or at least do a data minimization exercise.

A Piece of Cake

If knowledge is power, preparation and efficient follow-up are key. As mentioned earlier, the first important step is knowing all your transfers through your Records of Processing Activities. You will need a comprehensive tool to keep track of all your processing activities.

This is where RESPONSUM comes into play. RESPONSUM tracks all international data transfers within its RoPA module. You can choose which mechanisms are in place for a data transfer. This, in turn, is linked to Transfer Impact Assessments (TIAs) and Vendor Assessments – the latter is relevant if the data transfer goes to another company (which is often the case).

If a data transfer then changes, (e.g., because of another cloud service), RESPONSUM will push out a notification, letting you know that a TIA and Vendor Assessment need to be carried out. In the case that a vendor changes its policy, you’ll receive a notification that you need to adjust your RoPA. It helps you gather information more efficiently and faster than ever before. Read all about how the RESPONSUM RoPA and  TIA modules, or request a free demo and turn your International Data Transfers into a piece of cake.

Published on February 25, 2022. Written by: 

Bavo Van den Heuvel

Chief Knowledge Officer at RESPONSUM

Try it out yourself.

Book a free demo with one of our experts today. Don’t worry, they won’t bite.