EDPB Instruments for transfer of personal data to third countries
By Mugurel Olariu, RPD protectie date
The European Data Protection Board (EDPB) adopted at its 41-st plenary session on 09/10 November 2020 – remonte meeting, two specialized tools on data transfers, namely:
– Recommendations 01/2020 on measures to supplement transfer instruments to ensure compliance with the EU level of protection of personal data ·1. The recommendations are open for public consultation until 21 December 2020.
– Recommendations 02/2020 on Essential European Guarantees for surveillance measures. ·2
The importance of these instruments is major for controllers and processors who transfer personal data to third countries. ·3 Thus, controllers and processors carrying out personal data transfers outside the EU Member States (the 27) and Iceland, Norway and Lichtenstein should take measures for specialized analysis and compliance of transfers to the two newly adopted instruments.
The right to data protection is active. Exporters and importers (regardless of whether they are controllers and/or processors) need to carry out a recognition or passive compliance with this right ·4. Controllers and processors must seek to respect the right to data protection in an active and continuous manner by implementing legal, technical and organizational measures to ensure their effectiveness. Controllers and processors must also be able to demonstrate these efforts to data subjects, the general public and competent supervisory authority. This is the so-called liability principle ·5.
The principle of liability, which is necessary to ensure that the effective application of the level of protection conferred by the GDPR also applies to data transfers to third countries ·6, because they are a form of data processing per se ·7. As the Court pointed out in its judgment, a level of protection essentially equivalent to that guaranteed in the European Union, by the GDPR read in the light of the Charter must be guaranteed to this transfer, regardless of the provisions of that chapter, on the basis of which the transfer of personal data to a third country.
The specialized analysis goes to the two levels imposed by the instruments newly adopted by the European specialized body – EDPB, namely the compliance of transfers with European Essential Guarantees and the measures supplementing the transfer instruments to ensure compliance with the EU level of protection of personal data.
The European Essential Guarantees, developed by Recommendations 2/2020, are based on the fundamental rights to privacy and data protection that apply to any person, regardless of nationality, and cover four conditions or significant benchmarks to be met, namely:
1. Processing should be based on clear, precise and accessible rules.
2. The necessity and proportionality of the legitimate objectives pursued must be demonstrated.
3. There should be an independent oversight mechanism.
4. Effective remedies must be available to every person.
Measures supplementing the transfer instruments to ensure compliance with the EU level of protection of personal data, in EDPB Recommendations 1/2020, envisage a number of practical operations available to data exporters ·8 and data importers ·9, which must be analyzed and actually taken by them, in particular and adapted to own operations for the secure transfer of data to third countries.
The practical operations are carried out through a specialized and gradual analysis, by the two actors – the data exporter to third countries and, respectively, the importer of the transferred data, through six steps, which can be summarized as follows:
✔ Step 1: Know your transfers.
✔ Step 2: Identify the transfer tools you are relying on.
✔ Step 3: Assess whether the transfer instrument in Article 46 GDPR you are relying on is effective given all the circumstances of the transfer.
✔ Step 4: Take additional action.
✔ Step 5: Procedural steps if you have identified effective additional measures.
✔ Step 6: Reassess at appropriate intervals.
Controllers and processors, if – following the specialized analysis performed, you cannot find or implement supplement effective measures to ensure that the transferred personal data enjoys an essential equivalent level of protection, you do not have to start the data transfer personal data to the third country concerned on the basis of the chosen transfer instrument. If you are already making transfers, you are required to suspend or terminate the transfer of personal data immediately. The competent supervisory authority has the power to suspend or end transfers of personal data to the third country if the protection of the transferred data required by EU law, in particular compliance with Articles 45 and 46 of the RGPD and the EU Charter of Fundamental Rights, is not ensured ·10.
We conclude that, until the adoption of the Code of Conduct, as one of the tools to guarantee transfers, this activity can be performed – with the specialized support of our company ·11, as a particular analysis for operations that are in progress or are intended to be carried out by controllers and / or processors, for transfers of personal data in third countries.
1. See at https://edpb.europa.eu/our-work-tools/public-consultations-art-704 / 2020 / recommendations-012020-measures-supplement-transfer_en.
2. See at https://edpb.europa.eu/our-work-tools/public-consultations-art-704 / 2020 / recommendations-012020-measures-supplement-transfer_en.
3. Please note that, as definitions in Annex 1 to EDPB Recommendations 1/2020, “third country” means any country that is not an EEA Member State, and “EEA” means the European Economic Area and includes the Member States of the European Union (the 27) and Iceland, Norway and Liechtenstein. The GDPR applies to the latter under the EEA Agreement, and in particular Annex XI and Protocol 37.
4. Case C-92/09 and C-93/02, Volker und Markus Schecke GbR v.
Land Hessen, Opinion of Advocate General Sharpston delivered on 17 June 2010, point 71.
5. Article 5 (2) and Article 28 (3) (h) of the GDPR.
6. Article 44 and recital 101 of the GDPR, as well as Article 47 (2 (d) of the GDPR.
7. Judgment of the CJEU of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, paragraph 45.
8. “Data exporter” means the data controller or processor within the EEA who transfers personal data to a controller or processor in a third country, in accordance with Annex 1 to Recommendations 1/2020.
9. “Data importer” means the data controller or processor in a third country who receives or gets access to personal data transferred from the EEA, in accordance with Annex 1 to Recommendations 1/2020.
10. Andrea Jelinek, The Chair of the EDPB, in the Conclusions of Recommendations 1/2020.
11. Can be requested by e-mail: firstname.lastname@example.org or tel. 0723067601.