Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://www.itgovernance.eu/blog/en/how-to-transfer-data-to-a-third-country-under-the-gdpr below:

4 Mechanisms for Transferring Personal Data Internationally Under the GDPR

Do you transfer personal data outside the EU?

Because you outsource (including Cloud storage), for example? Or because you’re an international organisation?

Then you need to put appropriate safeguards in place.

This isn’t just to ensure compliance with the GDPR (General Data Protection Regulation):

You don’t need to view the GDPR as a compliance headache.

Yes, the Regulation grants personal data a level of protection not automatically guaranteed outside the EU. And it aims to prevent EU residents from losing that protection once their data leaves the EU, so restricts international transfers. (That’s transfers to ‘third countries’ – i.e. non-EEA countries.)

The GDPR therefore permits international transfers only if you’ve implemented sufficient safeguards – adequate security measures and an appropriate transfer mechanism.

This isn’t just a question of meeting your legal obligations.

Ensuring such safeguards protects your organisation financially, reputationally and operationally – because it:

• Avoids data breaches;
• Ensures data integrity and availability; and
• Prevents you from becoming liable for someone else’s mistake.

Let’s explore four mechanisms for transferring personal data to a third country under the GDPR, and how they protect your organisation:

1. Adequacy
2. Standard contractual clauses
3. Binding corporate rules
4. Certification

Note: Other mechanisms exist, such as derogations for specific situations and compelling legitimate interests, but unlike the four mechanisms listed above, these must be used infrequently and concern a limited number of individuals.

Adequacy decisions are usually the easiest mechanism for transferring data internationally.

Article 45 of the GDPR grants the European Commission the power to determine that a third country offers an ‘adequate’ level of data protection, based on factors like local legislation and its enforcement.

That means personal data may flow freely between the EU and these ‘adequate’ countries, which are:

• Andorra
• Argentina
• Canada (commercial organisations)
• Faroe Islands
• Guernsey
• Isle of Man
• Israel
• Japan
• Jersey
• New Zealand
• South Korea
• Switzerland
• UK
• Uruguay
• US (commercial organisations, under the EU-US Data Privacy Framework)

You can get an up-to-date list of adequacy decisions on the European Commission website.

Also note that personal data can flow freely between public authorities internationally, subject to “a legally binding and enforceable instrument” (Article 46(2)(a)).

Where you can rely on an adequacy decision, you can’t just start transferring data to that third country: you’ll need a standard Article 28 contract first.

This contract doesn’t just need to meet the requirements of Article 28 by setting out information like:

• The subject-matter, nature, purpose and duration of the processing;
• The type of personal data being processed;
• The categories of data subjects; and
• Your obligations and rights as a controller.

It must also stipulate that the data processor:

• Only processes data according to your instructions;
• Doesn’t engage sub-processors without your written agreement, and where it does engage them, that it’ll enforce the obligations set out in your contract;
• Takes appropriate technical and organisational measures, meeting the requirements of Article 32 (the Europrivacy™^/® certification scheme can help with this);
• Ensures the people authorised to process the data commit to confidentiality;
• Will help your accommodate the data subject rights and complete DPIAs (data protection impact assessments); and
• Returns or deletes all data, including copies, once the contract ends.

That’s as far as ‘direct’ GDPR requirements go – many of which are clearly also sensible business precautions. You wouldn’t, for example, want to end up in the headlines for a data breach where it turned out you failed to ensure your processor has implemented basic security!

But you can expand your checklist for contracts beyond the GDPR:

• Has the processor restricted their liability if they cause a data breach?
• Does the contract contain clawback provisions?
• What business continuity or service availability guarantees does the contract give?

Adding non-mandatory items like this can pay dividends to your organisation from a purely business perspective. Plus, while these might not be GDPR requirements, ensuring operational resilience – including in your supply chain – is a legal requirement under, for example, DORA and NIS 2.

SCCs (standard contractual clauses) are model contractual clauses, freely available on the European Commission’s website, as provided for by Article 46(2)(c).

Here’s what you need to know:

• If you use the SCCs without changing or removing any of the mandatory clauses, they should comply with Article 28. (Also, you don’t need both SCCs and a separate Article 28 contract.)
• You may, however, change the commercial terms (including adding clauses), so long as they don’t change the meaning of the pre-written clauses.
• Multiple SCCs are available, so make sure you select the correct ones! Are you using them for a controller or processor? They’ll also differ depending on where you’re transferring the data to.
• Another element organisations tend to overlook is the associated risk assessment – the TIA or ‘transfer impact assessment’. You must complete it to confirm that the data transfer can go ahead.
• The SCCs only apply to the data processing activities set out within them – not to the parties involved in those activities. So, you must draft new contracts every time the activities change. 

SCCs work well where the organisations are likely to participate in two-way data sharing, as well as in internal personal data transfers with straightforward processing.

For international organisations, however, SCCs can quickly become cumbersome, as you’d need to use contracts for every pairing of entities. (And potentially different SCCs for different processing activities, too!)

Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.

BCRs (binding corporate rules) under Article 47 are a more convenient option for international organisations.

These are a legally binding set of internal rules that regulate international data transfers within one multinational. They’ll set out details like how you’re applying the data protection principles, how you’re accommodating data subjects’ rights, tasks of the DPO (data protection officer), etc.

Though BCRs cover a much larger and more complex set of processing activities than SCCs, and can therefore be cumbersome to implement, you’ll only need one set of rules, provided that: 

• You’ve properly integrated all data privacy laws you may need to comply with, from all countries involved; and
• You have the correct supporting documents to go with them – policies and procedures, audit plans, guidelines, etc.

For the BCRs to be valid, your supervisory authority must sign them off.

Another provision, under Article 42, is certification.

We already have Europrivacy, but this certification mechanism currently doesn’t account for international transfers, and can’t be used outside the EU or EEA.

However, Europrivacy is currently being extended to meet the Article 46(2)(f) requirements as an approved mechanism for international transfers under the GDPR.

Once approved by the EDPB, this means organisations could use Europrivacy certification as an approved mechanism for international transfers – but one that offers a far higher level of assurance than the mechanisms discussed above due to the independent verification of the controls in place.

Where international transfers are involved, the risks to data subjects are higher.

That means you may need to conduct a DPIA (data protection impact assessment), so you can pin down those risks and implement appropriate measures to mitigate them.

In fact, DPIAs are mandatory under the GDPR for processing activities likely to result in a high risk to data subjects’ rights and freedoms.

Need expert help assessing your data protection risks and selecting appropriate controls?

We first published a version of this blog in January 2020.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.3