CIPPE Module 7 - International Data Transfers Flashcards
What are the international data transfer options under GDPR?
GDPR has a blanket ban on data transfers outside the EEA except under the following conditions:
a) Adequacy decisions
b) Appropriate safeguards
c) Derogations
When international data transfer is involved, what information must controllers provide to DS?
Controllers must also inform data subjects about
a) intent to transfer personal data internationally,
b) presence or absence of adequacy decisions
c) Safeguards
What is adequacy?
Adequacy indicates that there is an adequate level of data protection in the country for EU personal data.
The EC makes adequacy decisions - reviewed every four years
EC considers several factors in Adequacy Decisions:
a) Respect for rule of law
b) Access to justice
c) International human rights standards
d) data protection rules
What are the steps that the EDPB recommends for data transfers in the sake of Schrems II?
- Know your transfers - document/map the personal data being transferred
- Identify your transfer mechanism - is it adequacy or something else (SCC, BCR etc.)?
- Assess the sufficiency of non-EEA protections
- Identify and adopt supplementary measures - to close any gaps with the standard of EU data protection laws. (e.g. encryption, psuedonymizations, contracts etc.) - e.g. AWS’s Supplementary Addendum is the enhanced commitment.
- Take procedural steps to implement supplementary measures - seek authorization of chosen transfer mechanism
- Revaluate at appropriate intervals.
Does UK data protection laws meet EU standards?
Yes.
In 2018, UK passed the data protection act. Consistent with GDPR.
As of Dec 2020, UK has received an adequacy decision with the EU.
What are appropriate safeguards?
- BCRs
- SCC
- Approved Code-of-Conduct & Certification
- Ad hoc contractual clauses
- Reliance on international agreements
What are BCRs?
- Rules designed to allow multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company.
- A competent supervisory authority must sign off on those rules.
- Once approved, company is free to transfer personal data within their org around the world.
What are SCC?
- Model clause approved by the EC; non-negotiable standard form.
You still have to do an equivalence assessment of the laws in the target country.
What is a TIA?
TIA = Transfer Impact Assessment
The process of assessing data protection equivalence in a country.
What are derogations?
Last resort option to transfer data outside the EEA
Exemption from prohibition
Limited circumstances and very specific conditions
Only to be used when adequacy or appropriate safeguards aren’t valid