Schrems II Resources

Keeping in view the risk-based approach, the EDPS recommends certain (1) short-term action plans for data transfers to the United States that present high risks, and (2) medium-term action plans for all data transfers to the U.S and other third countries.

(1) Short-term action plans:

*Mapping: Pursuant to the order of the EDPS released on 5 October 2020, EUIs shall carry out an inventory of all on-going cross-border data processing activities. EUIs will maintain descriptions of data processing operations, destinations, recipients, transfer tools used, types of transferred personal data, categories of data subjects affected, and information on onward transfers in their inventories as part of the mapping exercise.

*Reporting: Based on the above mapping exercise, EUIs shall report by 15 November 2020 on specific risks and gaps that they were able to identify. EUIs are expected to provide specific and transparent information on (1) illegal data transfers which are not based on any transfer tool, (2) transfers that are based on derogations under Article 50 of the Chapter V of the Regulation (EU) 2018/1725., and (3) data transfers that present high risk to data subjects. The third category includes all high-risk data transfers to the U.S. to entities that are subject to Section 702 FISA or E.O. 12333 and transfers that involve processing on a large-scale, sensitive personal data, or data of a highly personal nature.

The EDPS strongly encourages EUIs to avoid any data processing activity that involves personal data transfer to the U.S. and adopt a strong precautionary approach while using any new service provider or engaging in a new data processing operation.

(2) Medium-term action plans

*Transfer impact assessments: The EDPS shall provide a list of preliminary questions to EUI data controllers to conduct transfer impact assessments (TIAs) with data importers. Based on the results of TIAs, EUIs shall assess whether or not a particular third country provides essentially equivalent level of data protection as provided in the EU/EEA. If EUI decides to continue the data transfer to the third country, it shall identify and implement supplementary measures or additional safeguards to ensure essentially equivalent data protection standards in the third country. The EUI shall also assess whether conditions of derogations are adequately fulfilled where a cross-border transfer was permitted based on derogations.

*Reporting: Depending on the results of the TIAs, EUIs will be asked to report to the EDPS in spring 2021 on the following data transfer categories:

**Transfers to a third country that do not ensure an essentially equivalent level of protection,

**Transfers that are suspended or terminated shall be notified in line with Article 47(2) of the Chapter V of the Regulation (EU) 2018/1725., where EUI considers that the third country does not ensure an essentially equivalent level of protection

**Transfers that are based on derogations shall be notified in line with Article 50(6) of the Chapter V of Regulation (EU) 2018/1725.

The goal of the EDPS is to ensure that all ongoing and upcoming international data transfers comply with the EU Charter of Fundamental Rights, GDPR, the CJEU’s decision in Schrems II case and any applicable legal requirement. It aims to issue long-term compliance action plans based on the results of TIAs and mapping exercises.

EDPB mandates the following actions be taken by all data exporters to continue the transfer of EU citizens protected personal data from the EU to non-EEA jurisdictions:

(1) Map all your data flows.

*You must know which non-EEA jurisdictions you are transferring personal data to taking into account all onward transfers and access to stored data within EEA.
*You must also see if the transfers are necessary and minimal. This mapping must be documented.

(2) Verify the transfer tool being relied upon.

*You must know which transfer tool you are relying on to make these data transfers.
*If a recipient juridisction you are transferring to has an adequacy decision, you are done with this assessment. For every other transfer tool under Article 46 of the GDPR, you must take the next step.
*Article 49 transfers can only be occasional and exceptional. This process should be documented.

(3) Assess the law and practice of the recipient jurisdiction.

*Assess and document if there is anything in the law or practice of the recipient jurisdiction - in context of your data transfer - which would impugn the effectiveness of the protections offered to the transferred data by the Article 46 transfer tool.
*Use the EU essential guarantees guidance to evaluate the legal set up of the recipient jurisdiction and the protections offered to the data. Focus on the laws allowing public authorities access to surveil the personal data.
*Analyze only using the law and regulations and cite practice - only if the law is unambiguous or unavailable, use other objective factors (not subjective ones).

(4) Identify and undertake supplementary measures if law of recipient jurisdiction would impugn Article 46 guarantees.

*If your analysis reveals that the legislation of the recipient jurisdiction will impugn the effectiveness of the protections offered to the personal data by the Article 46 transfer tool and you still wish to carry out the transfer you must identify and employ supplementary measures (contractual, organizational and technical measures).
*Contractual and organisational supplementary measures alone will not protect against laws which allow surveillance of the personal data by the public authorities of the recipient jurisdiction - technical measures are a must.
*The supplementary measures must aim to bring the level of protection of the transferred data up to the EU standard of essential equivalence and each supplementary measure employed must be assessed for its effectiveness in the context of the transfer, and in light of the applicable law of the recipient jurisdiction and the transfer tool you are relying on - you must document your reasoning.

(5) Take formal procedural steps to enact supplementary measures.

*You must take formal steps to employ the additional measures you have decided upon.
*For different Article 46 transfer tools, that could mean different processes and could require approval from the relevant Supervisory Authority.

(6) Monitor and regularly reassess effectiveness of supplementary measures.

*Re-evaluate and monitor at appropriate intervals the level of protection afforded to the transferred data by the Article 46 transfer tool and supplementary measures.
*You must remain constantly vigilant of any changes in the law or practice of the recipient jurisidiction or change in guidance by the EDPB or the relevant Supervisory Authority in relation to the protection of the transferred data.

The EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.

The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.

Among the main modifications (from the earlier adopted draft) are: the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge - in practice - on the effectiveness of the Art. 46 GDPR transfer tool; the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.

NA

NA

With the implementation decision of June 4, 2021, the European Commission issued new standard contractual clauses that are intended to enable the legally compliant transfer of personal data to third countries. The conference of the independent data protection supervisory authorities of the federal and state governments (data protection conference, DSK) as well as the European data protection committee (EDPB) point out that an examination of the legal situation in the third country and additional supplementary measures is necessary even if the new EU standard contractual clauses are used.

...

The new standard contractual clauses have not changed anything in the situation described and the obligations arising from it. Rather, they now expressly regulate the requirements that previously only followed from the case law of the European Court of Justice (Clause 14). The EU Commission and the EDSA have deliberately coordinated the new standard contractual clauses and recommendations 01/2020. This means that even if the new clauses are used, the data exporter must check the legal situation and practice of the third country and, if necessary, take additional protective measures or, if this does not succeed, refrain from the transfer.

The following are the official effects of the Schrems II decision by CJEU on international data transfers:

*As per Article 44 of the GDPR Personal Data can only be transmitted to a third country from the EU if an appropriate level of protection to the personal data is guaranteed. This can be evidenced by an adequacy decision by the European Commission and in the absence of such a decision, a suitable guarantee i.e Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs) can be used. If even these are not possible, in the most rare cases, other transfer options in Chapter V of GDPR can be used.

*ECJ confirmed that in light of the Charter of Fundamental Rights of the European Union, data transferred to a third country essentially requires equivalent protection as under the GDPR. ECJ declared the European Commission’s Privacy Shield Decision (2016/1250) invalid as a data transfer mechanism but upheld the SCC decision (2010/87) provided that the protection clauses agreed upon contractually are practically available to data subjects in the third country through enforceable rights and effective mechanisms and remedies.

The Court further denied the US as providing an ‘essentially equivalent’ level of protection. Thus transmissions of personal data are not only invalid and illegal under the Privacy Shield but also through other mechanisms such as SCCs and BCRs.

*ECJ held that in case of transfers of personal data made to third countries based upon suitable guarantees such as SCCs and BCRs, it must be seen that the transferred data, through the appropriate guarantees, enjoys equivalent protection and if the law of the third country prevents compliance with the guarantees, additional measures will need to be taken to establish this protection in a specific case. Transfers via derogations in the GDPR are still possible but they must be exceptional. And even then the requirements for such derogations must be met (i.e express, informative and voluntary consent for the consent derogation).

*Data transfers to the US are no longer possible under the Privacy Shield as the US does not have an essentially equivalent level of protection. Transfers to the US under the SCCs and BCRs still remain possible in principle, provided additional measures are taken on a case to case basis which in a concrete manner protect from unrestricted access of data by US security authorities. This applies to the possibility of transfers under exceptional derogations. It is important to note there is no grace period for compliance. Companies must immediately comply with this decision.

*Companies and Supervisory Authorities must respond and must replace the mechanism of data transfer if they were relying on the Privacy Shield to transfer to the US immediately and secondly, they must check all third countries which are being transferred personal data using one of the suitable guarantees (SCCs, BCRs etc.) and assess whether additional measures will be required to protect the data. The result of these assessments must be documented in a comprehensible manner.

*If it is found during these assessments that there is no essentially equivalent level of protection guaranteed by a third country and transfers to that country have not been suspended or terminated, the Supervisory Authority will need to be advised. This obligation lies on both controllers and processors.

*The Bfdi will continue to evaluate the reactions to this letter and release more detailed guidance on data transfers in specific areas. Further guidance on Schrems II will also be released.

Standard Contractual Clauses (SCCs) are still valid as a data transfer mechanism to companies in third countries (without an adequacy decision) but the level of protection to EU residents must be similar to the protection granted in the EU.

(1) EU data exports must review the level of protection granted to EU residents in the third country keeping in mind Article 46 (1) of the GDPR and EU Charter of Fundamental Rights with a view towards the following factors:

* suitable guarantees by the Controller and Processor;

* enforceable rights;

* effective remedies;

* possibility of access by public authorities in the third country.

(2) It is important for data exporters to note that since the SCCs do not bind the public authorities of the third countries, if the public authorities of the third country can intervene and access the data in voilation of the EU residents rights despite the protections provided by the SCCs, then without additional safeguards, adequate protection is not being granted. In such cases the EU data exporter must, in agreement with the data importer:

* Take appropriate additional safeguards as required on case to case basis;

* If despite taking the additionals safeguards, the level of protection granted to the data cannot be guaranteed by the data exporter or importer, the transfer should be cancelled and the data already transferred deleted by the importer.

If the data exporter or importer continue to carry out the transfer despite adequate protection not being granted, the supervisory authority will have to intervene and stop and cancel the transfer.

(3) The following Checklist should be used by EU data exporters to ensure compliance with the judgement:

* Make an inventory of your data transfers/exports to companies/entities (public or private) in third countries. This includes not just physical storage but also remote access, retrieval and maintenance;

* Immediately instruct in writing to all your processers and sub-processers who transfer data to the US using the Privacy Shield to immediately suspend all transfers of personal data to the US until another alternative transfer mechanism cannot be found which guarantees and adequate and equivalent level of protection to the data;

* Update and adapt your data protection declarations, remove any mention of using Privacy Shield as a transfer mechanism for transfers to the US;

* Check and customize your list of processing activities accordingly;

* Contact your service provider/contractual partner in the third countries you export data to and inform him about the CJEU decision and its consequences;

* See if the data importers you transfer/export data to are based in third countries with adequacy decisions by the EC Commission - the US is no longer adequate after the invalidation of the Privacy Shield by the CJEU - if yes, then then the rest of the checklist does not apply;

* Check whether the data importers you transfer/export data to are based in third countries which can fall under the SCCs decision by the EC Commission. Countries which allow public authorities to dispropotionally intervene in the rights of data subjects (i.e a massive retrieval of data without informing the data subject or providing any judicial oversight) is not providing adequate protection;

* Review the legal situation of the third country to which you transfer data to. Focus on data protection laws of the third country - public authorities' access options including intelligence services on the data, legal protections that can be employed by you, the data importer and the data subjects, case law and official practice in the third country with reference to data protection level etc. Employ the help of EDPB and Supervisory Authorities to conduct this review;

* Reassess whether the transfer to the data importer in the third country can be avoided - consider using services that do not transfer data to the third country, contracting a ban on transfers to the third country or using encryption - only transfer to third countries without an adequacy rating and which do not provide an adequate level of protection to the data if necessary;

* if the transfer is necessary, undertake supplementary measures along with the SCCs to protect the data. Refer to (4) and (5) for mandatory measures.

(4) For countries like the US, where the public authorities can dispropotionally intervene with the data subjects' rights, as has been held by the CJEU, the following additional safeguards necessarily have to be taken:

* Encryption for which “only the data exporter has the key” and which “cannot be broken by U.S. [intelligence] services”;

* Anonymization or pseudonymization where “only the data exporter can re-identify the data”.

However, even these are considered sufficient only for some type of transfers and they are not a catch-all solution - protection must be seen on a case to case basis.

(5) Finally, the data exporter should contact the data importer and consider the following changes in the SCCs:

* Amendment to SCC Clause 4(f): Informing the data subject, not only in the case of transfers of special categories of data, but also in the case of any transfer (before or as soon as possible after the transfer) that his or her data will be transferred to a third country that does not provide an adequate level of protection within the meaning of Regulation (EU) 2016/679.

* Amendment to SCC Clause 5(d)(i): Obligation of the data importer to inform not only the data exporter but also the data subject promptly of any legally binding requests by a law enforcement authority for disclosure of the personal data; if this disclosure of information is otherwise prohibited, e.g. by a criminal law requirement to maintain the secrecy of investigation, the data exporter must contact the LfDI BW and clarify the further procedure. (if informing the data exporter or data subject of the surveillance request is not allowed by the law of the third country, the LfDi SA needs to be contacted for further guidance on how to proceed). Additionaly, general information of requests recieved in the past should also be disclosed by the data importer to the data exporter.

*Amendment to SCC Clause 5(d): Obligation of the data importer to take legal action against the disclosure of personal data and to refrain from disclosing personal data to the relevant public authorities until a competent court of last instance has ordered the importer to disclose the data in a legally binding manner.

*Amendment to SCC Clause 5(h): Along with the data exporter, the data importer should be obligated to inform/notify the affected party of any award of contract to a sub-processor.

*Amendment to SCC Clause 6: The data subject can hold the data exporter or data importer liable for any breach of the provisions of the SCC by the data importer or a sub-processor.

*Inclusion of the illustrative indemnification clause set out in Appendix 2 to the SCC.

NA

NA

The standard contractual clauses still apply. Will everything stay the same for those responsible who use this as a transfer instrument?

Yes and no. An adjustment of the standard contractual clauses by the EU Commission is not necessary. They are valid as such. However, the ECJ has made it clear that those responsible who use the standard contractual clauses must fulfill their obligations arising from them. If it turns out that the processor in the third country is subject to laws that make it impossible for him to follow the instructions of the data exporter, i.e. the person responsible in the EU, and to comply with his contractual obligations, the person responsible for exporting data in the EU has, for example, in accordance with Clause 5 of the standard contract for data transfers from controllers in the EU to processors in third countries (2010/87 / EU) the contractually established right to suspend the data transfer and / or to withdraw from the contract.
This was also the case before. With its ruling, the ECJ made it clear that data-exporting bodies must deal with the legal situation of the target country on a permanent basis in order not to be prosecuted by the supervisory authorities in the EU for data protection violations by the importing body in the third country.

Can the contracting parties adapt the standard contractual clauses themselves and thus create suitable guarantees for their specific contractual relationship?

The ECJ names the possibility of supplementing the standard contractual clauses by the contracting parties in order to nevertheless create suitable guarantees in this specific contractual relationship that the level of protection guaranteed by the GDPR for natural persons is not impaired (Rn. 132). The aim here is to achieve a level of protection that is equivalent to the level guaranteed in the Union by the GDPR in the light of the Charter (marginal numbers 92, 94, 96, 105). The criteria mentioned in Art. 45 (2) GDPR are to be used in particular (marginal no. 104).
It is unclear whether this is actually possible in individual cases, in particular, for example, under the application of security laws such as Sec. 702 Foreign Intelligence Surveillance Act (FISA), as US authorities are not bound by the Standard Contractual Clauses. It is also unclear how this possibility relates to Art. 46 Para. 3 lit. a GDPR, i.e. from when the above additions are subject to a regulatory approval requirement.

Can the standard contractual clauses generally no longer be used for data transfers to the USA?

This is currently under review and will largely depend on the interpretation of US security laws. The security laws in the USA like Sec. 702 FISA, which allows US security agencies to gain access to personal data in certain cases without a court order, takes precedence over telecommunications companies. As a rule, the standard contractual clauses cannot be used for data transfers to such companies. In addition, the law may also have an impact on other companies, e.g. if these companies make use of the services of telecommunications providers, such as cloud services. Then there is the possibility that the US security authorities will gain access to the data in this way. It is also conceivable that solely due to the fact that data is transmitted electronically, i.e. the fact that the data flows through the cables of US telecommunications providers on the way to the recipient in the USA, Sec. 702 FISA applies to all data transmitted in this way. In connection with data transmission to the USA, it should also be borne in mind that, in accordance with US Executive Order 12.333, insufficiently encrypted data can also be monitored if it traverses the transatlantic cables. More generally speaking, this means: In the event that the US security laws that conflict with EU data protection law apply to all data transfers from the EU to the USA, the level of protection in the USA as a whole cannot be regarded as equivalent to the level of protection prevailing in the EU. In this case, the standard contractual clauses, as they are formulated, do not represent suitable guarantees for data transmission to the USA. In the event that the US security laws only apply to certain data transfers to the USA, it is up to the data exporter in the EU, including the respective data importer in the USA, to check whether or which laws in his home country the data importer or the respective data transfer to this is subject to and to evaluate whether the standard contractual clauses represent suitable guarantees in this case.

What do those responsible who use the Standard Contractual Clauses have to do now?

Those responsible must check which laws the data importer in the third country to which they want to transfer the data and, if applicable, its other contractual partners in this business relationship are subject to, and whether these affect the guarantees given in the standard contractual clauses. Possibly. the specific data flows must be analyzed in order to determine which laws of the third country apply in each case. In order to meet the accountability obligation according to Art. 5 Para. 2 GDPR, these tests and the results must be documented. These obligations apply to data transfers to all third countries, not just the USA. Should impairments become apparent, there is the - at least theoretically - possibility of eliminating them by adding to the standard contractual clauses (Rn. 132). Whether it is actually possible to remedy the situation, especially in the event of a conflict between the laws of the third country and European data protection law, is questionable and will show itself in practical application. The individual case must be checked here. Also, from when the limit to ad hoc contracts (Art. 46 Para. 3 lit. a DS-GVO) is exceeded, i.e. when agreements require approval, is still an unresolved question. The check can possibly be bypassed in cases in which other transfer instruments of Chapter V DS-GVO or an exceptional circumstance of Art. 49 DS-GVO can be used. The latter is often considered for travel bookings, for example, but is unlikely to be considered for typical outsourcing scenarios, i.e. services that could also be provided in the EU / EEA but are easier, cheaper or better provided in a third country.

What do those responsible who use the standard contractual clauses have to do if the receiving agency in the third country is subject to a national law that violates the principles of the GDPR or Art. 7 and Art. 8 of the EU Charter of Fundamental Rights?

If the data protection guarantees named in the standard contractual clauses cannot be met by the data importer due to the legal situation in their home country, the data exporter, i.e. the person responsible in the EU, must suspend data transfers there, because otherwise they themselves violate data protection law. Data that have already been transmitted to the third country must all be returned by the data importer or destroyed (marginal number 143). The contracting parties can try to create suitable guarantees by adding to the standard contractual clauses.

What questions do those responsible in the EU now have to ask themselves in connection with the standard contractual clauses?

a) Do I transfer personal data to a country outside the EU or the EEA?
b) If not, the exam ends here. If so: do I use standard contractual clauses of the EU Commission as a transfer instrument within the meaning of Chapter V GDPR?
c) If not, the exam ends here. If so: Is the data importer in the third country or its subcontractors in my business relationship subject to laws of this third country that contravene the GDPR or Art. 7 or Art. 8 of the EU Charter of Fundamental Rights, or is there any other indication that the guarantees given in the standard contractual clauses cannot be met?
d) If not, the exam ends here. If so: Can the standard contractual clauses be supplemented with the help of further agreements between the contracting parties in such a way that the level of protection thus created is essentially equivalent to the level of protection guaranteed in the Union?
e) If so, the exam ends here. If not: Can the data transfer be based on another transfer instrument within the meaning of Chapter V DS-GVO or on an exceptional fact of Art. 49 DS-GVO?
f) If so, everything is fine. If necessary, adapt your information in accordance with Art. 13 GDPR. When applying Art. 49 Para. 1 lit. a DS-GVO that the consent must be given voluntarily, earmarked, informed and unambiguous. If not: Suspend the data transfer immediately and request the data importer to return the data that has already been transmitted or request them to destroy the data. Get in touch with future contractual partners in countries where your data is better protected.

NA

NA

NA

NA

NA

As a first step, companies and public bodies in Hessen are therefore advised that the transfer of personal data to third countries such as the USA is not permitted without additional protective measures.

The HBDI expects the data processing centers in Hesse to check whether their IT systems transfer personal data to third countries in which there is an insufficient level of data protection. If this is the case, they must be able to prove that they have carried out the necessary tests and, if necessary, initiated the first steps to ensure that the data processing methods used, such as video conference systems, meet the requirements of the GDPR. This can vary in complexity depending on the processing process.

In the case of process changes that are easy to implement and for which functionally equivalent alternatives that can be used in accordance with data protection already exist (such as the use of video conference systems), immediate implementation activities are expected from the data processing units.

If the need for implementation for more complex procedures is identified, an appropriate roadmap for implementation must be drawn up. The HBDI supports this implementation process with advice. When acting as a supervisory authority, it will take into account the implementation periods required for this.

NA

NA

NA

NA

NA

The method proposed below by the CNIL is given only as an indication, in order to help data controllers to identify and process transfers of personal data outside the EU:

1. List the transfers of personal data linked to your digital tools

The inventory should make it possible to highlight any transfers of personal data outside the European Union carried out as part of your business activities (customer / user oriented) and your support functions.

• Check your digital tools (technical section)
• Check your contracts (legal aspect)
• Complete or constitute your tool for monitoring transfers outside the EU

2. Define an action plan

• Determine the criticality for your organization
• Assess whether the transfers have a legal basis and possible solutions
• Have the solutions identified by the person in charge of your organization validated and follow up

"1. In practice, who should draw the consequences of the decision of the Court of Justice of the EU?

In accordance with the principle of responsibility, these are primarily organizations wishing to transfer data outside the European Union. Both data controllers and data transfer processors are accountable for these requirements.

2. What are the main actions to be implemented for the organizations concerned?

Data controllers and subcontractors are first of all advised to identify all the transfers of personal data outside the European Union to which they make, and in particular to the United States of America. It is then recommended to carry out a rigorous assessment of the legality of each of these transfers, in particular taking into account the decision of the Court of Justice of the European Union. Finally, the organizations concerned should define an action plan to enable them, if necessary, to comply with the legal framework applicable to data transfers. The CNIL proposes here a method to precisely identify these transfers, by means of a technical and legal census, and to implement an action plan adapted to your organization. In the context of these compliance actions, two steps are essential:
(i) the assessment of the legislation of the third country to which the data is transferred;
(ii) if necessary, the implementation of additional measures to ensure a sufficient level of data protection.

3. Who is responsible for the assessment of the laws of third countries applicable to the transferred data and when should this assessment take place?

In accordance with the principle of responsibility, it is the body carrying out the data transfer which must assess whether the data transferred to the third country will benefit from a sufficient level of protection.

4. What exactly should we evaluate?

The assessment of the level of protection from which the transferred data will benefit must relate to the specific legislation (s) applicable to the transfers in question. In all cases, it must aim to determine whether the guarantees contained in the transfer management tool ( CCT , BCR , etc.) can be respected in practice or whether the legal framework for the destination of the transfer has the effect of reducing or eliminating the application of these guarantees.The applicable legislation in matters of intelligence and access by the competent public authorities must be the subject of a particular examination. It may also be necessary to examine other sectoral legislation.

5. How to proceed with this evaluation?

The assessment of the applicable legislation must be made on a case-by-case basis and depending on the nature of the transfers concerned. Organizations wishing to carry out such data transfers can use two main tools:
(i) the decisions of the CJEU or the European Court for the Protection of Human Rights, which have been able to assess the compliance of certain laws with European data protection standards.
(ii) The recommendations of the European CNIL, which for example detailed the essential guarantees that must be found (4 guarantees), in terms of surveillance, in the third country when assessing the level of data protection.

6. What are the categories of additional measures to be implemented?

Three types of measures can be put in place cumulatively to ensure the correct application of the guarantees provided for in the transfer management tool:
(i) technical measures, in particular data encryption or pseudonymization measures;
(ii) organizational measures, for example to ensure that the recipient of the transfer will not store the data received from its subsidiaries if they are located in third countries which have legislation that does not comply with European surveillance requirements, for example;
(iii) legal measures, for example a clarification in the contractual commitments framing the transfer of the definition of a particular concept if it is not understood in the same way in the rights of the exporter and the importer, or the 'contractual imposition of technical or organizational measures."

NA

NA

NA

NA

NA

NA

"If you have transferred personal information to the United States on the basis of the Privacy Shield, you should consider whether you can use a different transfer basis in the future, as it is now illegal to use the Privacy Shield. Alternatively, you can consider whether one of the exceptions in Article 49 can be used.

If you are considering using, for example, the Commission's standard contracts as a basis for future transfers, be aware that - although the European Court of Justice has initially declared the standard contracts valid - you must assess the circumstances in the third country to which you want to transfer personal data. The assessment must ensure that the protection established through the use of the standard contracts is "essentially equivalent" to that which we have in the EU, and thus not undermined by the conditions in the third country. In the assessment, it will be relevant, for example, to look at the legislation of the third country, including the possibilities for the authorities (e.g. the intelligence services) to gain access to personal data, the control thereof and the data subjects' means of redress.

If you use the EU Commission’s standard contracts to transfer personal data to the United States and/or third countries and your investigations show that you cannot ensure an adequate level of protection using the transfer tools in the GDPR – and the exceptions in Article 49 cannot be applied either – stop transferring personal data. In relation to Article 49, you should pay particular attention to the fact that the exceptions have a very narrow scope and that several of them cannot be used if you are a public authority.

If you have transferred information on the basis of the standard contracts and the transfer can no longer take place, ask the recipient in the third country to delete or return the transferred information."

How to understand which article of the General Regulation applies to a specific data transfer?

It should first be ascertained whether the third country or international organization to which the data is to be transferred has received a decision from the European Commission that an adequate level of data protection is ensured in that country, sector or international organization. A list of countries with a sufficient level can be found on the European Commission's website. If the Commission's adequacy decision exists, it is not necessary to apply to the Inspectorate for a special permit for the transfer of data. In the absence of a decision on adequacy for a State or an international organization, data may generally be transferred subject to the safeguards described in Article 46 of the General Regulation or to the application of the exceptions described in Article 49 of the General Regulation.

Transmission in application of safeguard measures (Article 46)

Article 46 of the CCIP describes the safeguards under which personal data may be transferred to a third country whose level of data protection has not been assessed as adequate. It can be transmitted using either binding intra-group rules, standard data protection clauses, legally binding documents between public sector bodies or codes of conduct, etc. Using the European Commission's Standard Contractual Clauses, the text of the standard data transfer agreement is provided and must be followed by the parties to the agreement. In its judgment of 16.07.2020 in case C-311/18, the ECJ upheld this protection measure, but emphasized that data protection supervisory authorities must suspend or prohibit the transfer of data to a third country if, in all circumstances, it is considered that the protection of personal data cannot be ensured in that third country. .
Where the safeguards listed in Article 46 (2) are used , the Inspectorate need not apply for a specific authorization for the transfer of data. A special permit must be requested from the Inspectorate if the transfer takes place in accordance with Article 46(3) CISA (so-called 'ad hoc agreement between the controller and the processor in a third country, administrative arrangements between a public authority or bodies, including legally protected and effective data subjects' rights'). Before issuing an authorization decision, the Authority shall seek the opinion of the European Data Protection Board in order to apply the continuity mechanism provided for in the General Regulation.

Transmission to the United States

The United States is considered to have an insufficient level of data protection. Until 16 July 2020, companies were able to transfer personal data to the United States using the European Commission's Implementing Decision 2016/1250 (Privacy Shield) as a data protection framework, which regulated the adequacy of personal data protection when transferring data between the European Union and the United States. The Commission Implementing Decision was terminated by the judgment of the Court of Justice of 16.07.2020 in Case C-311/18 , which necessitated the use of alternative safeguards for the transfer of personal data. The transfer of personal data to the United States is subject to the safeguards provided for in Article 46 of the General Data Protection Regulation (GPA) or to through the exceptions in Article 49 . The European Data Protection Board has issued a further clarification [in its FAQs].

NA

NA

NA

NA

NA

NA

NA

NA

NA

The EDPB adopted a final version of the recommendations concerning the additional measures following a public consultation which found a very wide response to the parties concerned.

Following the Schrems II judgment of the Court of Justice of the European Union, the recommendations aim to help data controllers and processors acting as data exporters to define and implement additional measures appropriate when they are necessary to ensure an essentially equivalent level of protection for the data they transfer to third countries. Among the main changes are:

(i) Emphasis on the importance of examining the practices of public authorities in third countries in the legal assessment of exporters in order to determine whether the legislation and / or practices of the third country infringe - in practice - on efficiency the GDPR transfer tool of Article 46;
(ii) The possibility that the exporter takes into account the practical experience of the importer in his assessment; and
(iii) The clarification that the legislation of the third country of destination allowing its authorities to access the transferred data, even without the intervention of the importer, may also undermine the efficiency of the transfer tool.

NA

If you could conclude that the level of protection will not be equivalent to that in the EEA, you must implement further measures that compensate for this and that ensure a similar level of protection in practice. If there are no such additional measures or you are not able to implement such measures, you cannot transfer the personal data.

What the additional measures may entail must be decided in each individual case, in light of the specific circumstances. It could potentially be a question of legal, technical or organizational measures. At present, however, there is great uncertainty as to what kind of additional measures may be sufficient if the third country has laws that take precedence over the obligations under the transfer bases or otherwise lower the level of protection. This means that at present it is very challenging to transfer personal data to such third countries, and in practice it will probably not be possible for most people to do so.

We plan to prepare updated guidance on the transfer of personal data to third countries within a short time.

NA

NA

NA

NA

NA

"Contractual safeguards such as the EU’s SCCs, which are also frequently used in Switzerland, or so-called ‘binding corporate rules’ cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.17 This is true not only in the case of transfer of personal data to the USA, but also to numerous other countries with inadequate legal protection, referred to here as ‘non-listed countries’. Accordingly, it is to be assumed that in many cases the SCCs and comparable provisions do not meet the requirements for contractual safeguards pursuant to Art. 6 Para. 2 Let. a FADP for data transfer to non-listed countries.

Practical advice for Swiss companies
When transferring data to non-listed countries in the future, data exporters should always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried out. The exporter should check whether the clauses cover the data protection risks existing in the non-listed country. If necessary, the clauses should be expanded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.
b) When examining data protection risks, it is of particular relevance whether the data is transferred to a company in a non-listed country that is subject to special access by the local authorities. 18 It must also be considered whether the foreign recipient company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case, any provisions in the SCCs concerning the obligation to cooperate are negated.
c) In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.

"Contractual safeguards such as the EU’s SCCs, which are also frequently used in Switzerland, or so-called ‘binding corporate rules’ cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.17 This is true not only in the case of transfer of personal data to the USA, but also to numerous other countries with inadequate legal protection, referred to here as ‘non-listed countries’. Accordingly, it is to be assumed that in many cases the SCCs and comparable provisions do not meet the requirements for contractual safeguards pursuant to Art. 6 Para. 2 Let. a FADP for data transfer to non-listed countries.

Practical advice for Swiss companies When transferring data to non-listed countries in the future, data exporters should always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried out. The exporter should check whether the clauses cover the data protection risks existing in the non-listed country. If necessary, the clauses should be expanded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.
b) When examining data protection risks, it is of particular relevance whether the data is transferred to a company in a non-listed country that is subject to special access by the local authorities.
c) In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.

"Based on a flowchart, the guide explains steps required for international data transfers. It suggests to assess the transfer, identify whether the personal data is provided with adequate protection and if it is determined there would not be adequate protection, implement additional measures or cease transferring the personal data.

The Guide also explains four guarantees required in relation to official access in the third country (e.g. for national security or criminal investigation purposes). These guarantees are:
1. principle of legality: clear, precise and accessible rules
2. proportionality of the powers and measures regarding the regulatory objectives pursued
3. effective legal remedies must be available to the individual
4. guarantee of legal recourse and access to an independent and impartial court"

NA

"There is no longer scope for the data controller to itself decide whether an adequate level of protection exists or not. Only the European Commission can take such a decision."