This article is a high-level overview of the 48 pages of the EDPB’s guidelines on the transfer of data to third countries. It is all about accountability.

Accountability in Data Transfers

The first thing the guideline talks about is accountability.

• Exporters and importers (whether they are controllers and/or processors) to go beyond passive compliance.
• Controllers and processors should comply with the right to data protection in an active and continuous manner by implementing legal, technical, and organizational measures that ensure its effectiveness.
• Controllers and processors must be able to demonstrate these efforts to data subjects and data protection supervisory authorities.
• A transfer of personal data is a processing operation (Article 4.2 GDPR). If you wish to transfer sensitive data falling under Articles 9 and 10 GDPR you may only conduct a transfer if it falls within one of the derogations and conditions set forth in Articles 9 and 10 GDPR and EU Member States’ law.

Accountability in Practice

Step I

1. Know your transfer: Map the transfers, including onward transfer. E.g., whether your processors outside the EEA transfer the personal data you entrusted to them to a sub-processor in another third country or in the same third country.
2. Data minimization: Verify that the data you transfer is adequate, relevant and limited to what is necessary for relation to the purposes for which it is processed.
3. Remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA offered by a service provider, is also considered to be a transfer.

Step II

1. Identify your transfer tools: Adequacy decision, SCC, BCR, Codes of Conduct, Certification Mechanisms, Ad hoc Contractual Clauses. Subject to specific conditions, you may use derogation under Article 49 GDPR.
2. Confirm appropriate safeguards: Assess whether or not the law in force in the third country may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on.
3. Move to Step 3: If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with Step 3.

Step III

1. Assess if the law and/or practices in force in the third country may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on.
2. Assess whether there are elements concerning access to data by public authorities of the third country.
3. Take into consideration all the actors participating in the transfer (e.g. controllers, processors, and sub-processors processing data in the third country), as identified in the mapping exercise of transfers. The more controllers, processors, or importers involved, the more complex your assessment will be.
4. Assess the effectiveness of available mechanisms for individuals to obtain (judicial) redress against unlawful government access to personal data.
5. Assess data importer’s commitments towards data subjects’ rights.
6. Use Articles 47 and 52 of the EU Charter of Fundamental Rights to assess whether access by public authorities is limited to what is necessary and proportionate in a democratic society and whether data subjects are afforded effective redress.
7. Use EDPB’s EEG guidelines to assess whether or not the legal framework in that country is sufficient and clear. And, whether such powers unjustifiably interfere with the data exporter and importer’s obligations to ensure essential equivalence pursuant to the GDPR. European Essential Guarantees(EEG) are a referential standard when assessing the interference, entailed by third surveillance measures in the context of international transfers.
8. Assess if the relevant legislation in the third country may formally meet EU standards on fundamental rights and freedoms and the necessity and proportionality of restrictions thereto.
9. Assess if the relevant legislation in the third country (e.g. on access to personal data held by the private sector) may be lacking.
10. Take into consideration documented practical experience of the importer with relevant prior instances of requests for access received from public authorities in the third country.

Step IV- Supplementary Measures

1. You should conduct the overall assessment of the law and practice of the third country of your importer applicable to your transfer with due diligence and document it thoroughly.
2. Supervisory and/or judicial authorities may request it and hold you accountable for any decision you take on that basis.
3. Your assessment may ultimately reveal which transfer tool to rely upon under Article 46 GDPR.
4. If your assessment under Step 3 has revealed that your Article 46 GDPR transfer tool is not effective, then you will need to consider supplementary measures which can be used to ensure that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EU.
5. The CJEU underlined that where Article 46 GDPR transfer tools fall short, it is the responsibility of the data exporter to either put in place effective supplementary measures or to not transfer personal data.
6. You do not need to repeat the assessment every time you conduct the same transfer of a specific type of data to the same third country.
7. Look at the following (non- exhaustive) list of factors to identify which supplementary measures would be most effective in protecting the data transferred from public authorities’ requests for access to data:
   – Format of the data to be transferred (i.e. in plain text/pseudonymised or encrypted);
   – Nature of the data (e.g. a higher level of protection is afforded in the EEA to categories of data covered by articles 9 and 10 GDPR);
   – Length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them (e.g. do the transfers involve multiple controllers or both controllers and processors, or involvement of processors which will transfer the data from you to your data importer -considering the relevant provisions applicable to them under the legislation of the third country of destination-);
   – Technique or parameters of practical application of the third country law concluded in Step 3;
   – Possibility that the data may be subject to onward transfers, within the same third country or even to other third countries (e.g. involvement of sub-processors of the data importer.)

Effective Supplementary Measure Found

If you have put in place effective supplementary measures, which combined with your chosen Article 46 GDPR transfer tool reach a level of protection that is now essentially equivalent to the level of protection guaranteed within the EEA: you may proceed with your transfers.

No Effective Supplementary Measure Found

Where you are not able to find or implement effective supplementary measures that ensure that the transferred personal data enjoys an essentially equivalent level of protection-

• Do not start transferring personal data on the basis of the Article 46 GDPR transfer tool
• If you are already conducting transfers, you are required to suspend or end the transfer of personal data.
• If you have already transferred to that third country, copies should be returned to you or destroyed in their entirety by the importer.

1. Standard data protection clauses (“SCCs”) (Art. 46(2)(c) and (d) GDPR)

• When you intend to put in place supplementary measures in addition to SCCs, there is no need for you to request an authorisation from the competent SA to as long as the identified supplementary measures do not contradict the SCCs.
• Where you intend to modify the standard data protection clauses themselves or where the supplementary measures added ‘contradict’ the SCCs, you are no longer deemed to be relying on standard contractual clauses and must seek an authorisation with the competent supervisory authority in accordance with Article 46(3)(a) GDPR.

2. BCRs (Art. 46(2)(b) GDPR)

• The Schrems II judgement is relevant for transfers of personal data on the basis of BCRs, since third countries laws may affect the protection provided by such instruments.
• All commitments that need to be included will be referred to in the updated WP256/257 referentials74 to which all groups relying on BCRs as transfer tools will have to align their existing and future BCRs.

3. Ad hoc contractual clauses (Art. 46.3(a) GDPR)

The reasoning put forward by the Schrems II judgment applies to other transfer instruments pursuant to Article 46 (2) GDPR since all of these instruments are basically of contractual nature, so the guarantees foreseen and the commitments taken by the parties therein cannot bind third country public authorities.

Step VI- Re-evaluate at appropriate intervals

1. Monitor, on an ongoing basis, developments in the third country to which you have transferred personal data that could affect your initial assessment of the level of protection and the decisions you may have taken accordingly on your transfers.
2. Accountability is a continuing obligation (Article 5(2) GDPR)
3. Put sufficiently sound mechanisms in place to ensure that you promptly suspend or end transfers where:

• the importer has breached or is unable to honour the commitments it has taken in the Article 46 GDPR transfer tool; or
• the supplementary measures are no longer effective in that third country.

Summary

• Chapter V of the GDPR governs transfers of personal data to third countries and sets a high bar: the transfer must not undermine the level of protection of natural persons guaranteed by the GDPR (Article 44 GDPR). The CJEU C-311/18 (Schrems II) judgement underscores the need to ensure the continuity of the level of protection afforded under the GDPR to personal data transferred to a third country.
• To ensure an essentially equivalent level of protection of your data, you must know your transfers thoroughly.
• You must also identify the transfer tool you rely on for your transfers.
• You must verify on a case-by-case basis whether (or not) the law or practice of the third country of destination undermines the safeguards contained in the Article 46 GDPR transfer tool.
• Where you are not able to find or implement effective supplementary measures, you must not start transferring personal data to the third country concerned based on your chosen transfer tool.
• The competent supervisory authority has the power to suspend or end transfers of personal data to the third country if the protection of the data transferred that EU law requires, in particular Articles 45 and 46 GDPR and the Charter of Fundamental Rights, is not ensured.