The European Data Protection Board (EDPB) has adopted these recommendations and most industry observers have noted that this will still entail a fair amount of legwork for affected organisations. This is where we can help. Proteus-Cyber has developed a simple standalone SaaS solution called Proteus®NextGen Schrems II which supports these six steps, providing the mechanisms for capturing and implementing the information required to follow them.
You can import your third-party vendor lists from Excel easily, issue pre-configured Transfer Impact Assessments (TIAs), automatically risk assess third-parties, take account of hostile regimes and adopt the appropriate transfer tool; this may include the automatic generation of vendor-specific SCC contracts, whether for Controller to Controller; Controller to Processor; Processor to Sub-Processor or Processor to Controller transfers. The contracts can be digitally signed by the vendor.
It couldn't be easier to simplify the creation and management of these contracts.
Step 1 – Know your transfers
As a first step, the EDPB advises you, data exporters, to know your transfers. Mapping all transfers of personal data to third countries can be a difficult exercise. Being aware of where the personal data goes is however necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed. You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
Step 2 – Verify the transfer tool your transfer relies on
A second step is to verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive. Only in some cases of occasional and non-repetitive transfers may you be able to rely on one of the derogations provided for in Article 49 GDPR, if you meet the conditions.
Step 3 – Assess the law or practice of the third country
A third step is to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your assessment should be primarily focused on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on and that may undermine its level of protection. For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, please refer to the EDPB European Essential Guarantees recommendations. In particular, this should be carefully considered when the legislation governing the access to data by public authorities is ambiguous or not publicly available. In the absence of legislation governing the circumstances in which public authorities may access personal data, if you still wish to proceed with the transfer, you should look into other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards. You should conduct this assessment with due diligence and document it thoroughly, as you will be held accountable to the decision you may take on that basis.
Step 4 – Identify and adopt supplementary measures
A fourth step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. These recommendations contain (in annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. As is the case for the appropriate safeguards contained in the Article 46 transfer tools, some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and the transfer tool you are relying on and you will be held accountable for the decision you take. This might also require you to combine several supplementary measures. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.
Step 5 – formalise the procedural steps to implement your supplementary measures
A fifth step is to take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on. These recommendations specify these formalities. You may need to consult your competent supervisory authorities on some of them.
Step 6 – Review your supplementary measures regularly
The sixth and final step will be for you to re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.
Published 22 January 2021
Last Modified 22 January 2021