|Step 1||Know your transfers|
Which processors you transfer data to and why,
Record onward transfers to sub-processors,
Check the transfers are minimal, adequate and limited to the purpose.
|Step 2||Verify the transfer tool your transfer relies on|
Standard Contractual Clauses (SCCs),
Binding Corporate Rules (BCRs),
Codes of conduct,
Ad-hoc contractual clauses or
Derogations in Article 49 of the GDPR.
|Step 3||Assess the law or practice of the third country|
Verify you can recover your data and respond to Data Subject Access Requests (DSARs),
Perform regime assessments.
|Step 4||Identify and adopt supplementary measures (technical, contractual or organisational)|
Purposes for which the data are transferred and processed,
Types of entities involved in the processing,
Sector in which the transfer occurs,
Categories of personal data transferred,
Whether the data will be stored in the third country or within the EU/EEA,
Format of the data to be transferred,
Onward transfers from the third country to another third country.
|Step 5||Formalise the procedural steps to implement your supplementary measures|
Standard Contractual Clauses (SCCs),
Binding Corporate Rules (BCRs),
Ad-hoc contractual clauses.
|Step 6||Review your supplementary measures regularly|
Can the vendor keep to their commitments to you?
Are the supplementary measures still effective?
The European Data Protection Board (EDPB) has adopted these recommendations and most industry observers have noted that this will still entail a fair amount of legwork for affected organisations. This is where we can help. Proteus-Cyber has developed a simple standalone SaaS solution called Proteus®NextGen Schrems II which supports these six steps, providing the mechanisms for capturing and implementing the information required to follow them.
You can import your third-party vendor lists from Excel easily, issue pre-configured Transfer Impact Assessments (TIAs), automatically risk assess third-parties, take account of hostile regimes and adopt the appropriate transfer tool; this may include the automatic generation of vendor-specific SCC contracts, whether for Controller to Controller; Controller to Processor; Processor to Sub-Processor or Processor to Controller transfers. The contracts can be digitally signed by the vendor.
As a first step, the EDPB advises you, data exporters, to know your transfers. Mapping all transfers of personal data to third countries can be a difficult exercise. Being aware of where the personal data goes is however necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed. You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
A second step is to verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive. Only in some cases of occasional and non-repetitive transfers may you be able to rely on one of the derogations provided for in Article 49 GDPR, if you meet the conditions.
A third step is to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your assessment should be primarily focused on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on and that may undermine its level of protection. For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, please refer to the EDPB European Essential Guarantees recommendations. In particular, this should be carefully considered when the legislation governing the access to data by public authorities is ambiguous or not publicly available. In the absence of legislation governing the circumstances in which public authorities may access personal data, if you still wish to proceed with the transfer, you should look into other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards. You should conduct this assessment with due diligence and document it thoroughly, as you will be held accountable to the decision you may take on that basis.
A fourth step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. These recommendations contain (in annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. As is the case for the appropriate safeguards contained in the Article 46 transfer tools, some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and the transfer tool you are relying on and you will be held accountable for the decision you take. This might also require you to combine several supplementary measures. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data.
A fifth step is to take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on. These recommendations specify these formalities. You may need to consult your competent supervisory authorities on some of them.
The sixth and final step will be for you to re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.
BOOK A 10 MINUTE DEMO