International Data Transfers (7)

Question 1

What are the 3 options for data transfers outside of the EEA?

Answer 1

1. Adequacy decision
2. Appropriate safeguards (enforceable rights and legal remedies)
3. Derogations

(should be considered in this order)

Question 2

Is the controller under obligation to inform data subjects about data transfers?

Answer 2

Yes

must communicate: existence or absence of adequacy decision, intent to transfer, safeguards being used

Question 3

What is adequacy under GDPR?

Answer 3

adequate level of data protection as determined by the European Commission for a country, territory, sector and IO, that allows for transferring without the need for additional authorization

Question 4

What is the criteria for adequacy?

Answer 4

respect of rule of law
access to justice
international human rights standards
general and sectoral laws and case law
effective and enforceable rights for individuals
data protection rules
other international commitments

Question 5

Which countries are deemed adequate by European Commission?

Answer 5

andorra, argentina, canada (with exceptions), faroe islands, guernsey, israel, isle of man, japan, jersey, new zealand, south korea, switzerland, UK, uruguay

Question 6

What happened in Schrems v Data Protection Commissioner?

Answer 6

Reject Safe Harbor as adequacy determination

Schrems was a Facebook user in Austria, complained to Irish SA that Facebook Ireland was improperly transferring his data to the US where it could be accessed by NSA.

Question 7

What was the subsequent ruling in Schrems 2?

Answer 7

CJEU invalidated the Privacy Shield citing that:

• US surveillance was not limited to what was strictly necessary and proportional
• EU data subjects lacked actionable judicial redress and no right to remedy
• need for case by case assessments of sufficiency of foreign protections

Question 8

What is “essential equivalence’’?

Answer 8

Equivalence between EU law and where you’re transferring

Question 9

Does the UK have adequacy?

Answer 9

Yes, under the GDPR and the Law Enforcement DIrective

Question 10

What is the name of the privacy regulation in the UK?

Answer 10

UK Data Protection Act (2018)

Question 11

What are appropriate safeguards under Article 46?

Answer 11

Approved codes of conduct and certification mechanisms
Binding corporate rules
Standard contractual clauses
Ad hoc contractual clauses
Reliance on international agreements

Question 12

What are standard contractual clauses?

Answer 12

Model Clauses

Standard form that is non-negotiable, to allow a company in the EEA that wants to send data to a company outside EEA

Still companies must conduct case-by-case assessments on the laws in each recipient country to ensure essential equivalence to EU law for personal data transferred under SCCs or BCRs

Question 13

What is a TIA?

Answer 13

Transfer Impact Assessment

process of assessing data protection equivalence (industry term)

Question 14

What are codes of conduct as an appropriate safeguard for data transfers?

Answer 14

compliance-signaling tools for controllers and processors

created/revised by other bodies in representation of controllers/processors
binding and enforceable

Question 15

What are certification mechanisms as appropriate safeguards for data transfers?

Answer 15

recognized by the GDPR as acceptable mechanisms for demonstrating compliance

may be issued by accredited bodies, supervisory authorities and the EDPB
good for no more than 3 years
consequences for non-compliance

Question 16

What are Binding Corporate Rules?

Answer 16

internal and legally binding rules between companies engaged in joint economic activity, corporate groups or controllers and processors

Question 17

What are derogations under Article 49?

Answer 17

an exemption from prohibition on transferring personal data outside EEA
a last resort for limited circumstances / specific conditions, narrowly interpreted

Question 18

What are the potential conditions for derogations?

Answer 18

1. explicit consent from data subject
2. necessary for performance of a contract or conclusion of a contract
3. public interest
4. establishment, exercise, or defense of legal claims
5. vital interests
6. transfer from a register of public information
7. legitimate interests of controller

Question 19

What are the step by step recommendations for data transfers post Schrems II?

Answer 19

Step 1: know your transfers (document and map PI transferred)
Step 2: identify your transfer mechanism (tools under Chapter 5 GDPR). If country is adequate, no further steps.

Step 3: assess sufficiency of non EEA protections (is there a law or practice that might infringe on effectiveness of safeguards)
Step 4: identify and adopt supplementary measures
Step 5: take formal procedural steps to adopt supplementary measure
Step 6: re-evaluate level of protection at appropriate intervals

Question 20

What are the European Essential Guarantees?

Answer 20

1) processing based on clear, precise and accessible rules
2) necessity and proportionality need to be demonstrated with regard to legitimate objective
3) independent oversight mechanism
4) effective remedies available to individual

Question 21

What needs to take place for the movement of data to be considered a “transfer”?

Answer 21

substantive processing operation is conducted on the personal data in a third country

Question 22

What does the EC take into account when considering the adequacy of level of protection for a transfer?

Answer 22

1. rule of law
2. indepedent supervisory authority
3. international committments entered into by the country

Question 23

What were the 7 principles of the Privacy Shield?

Answer 23

1. Notice
2. Choice
3. Accountability for onward transfer
4. Security
5. Data integrity and purpose limitation
6. Access
7. Recourse, enforcement, liability

Question 24

What steps did the Privacy Shield require companies to take to self-certify compliance?

Answer 24

1. internal compliance assessment to determine ablity to comply with principles
2. register wih 3rd party arbitration provider for complaints from EU individuals
3. adopt a privacy shield notice and publish online

Question 25

What are possible mechanisms to safeguard international transfers?

Answer 25

legally binding and enforceable instrument between public bodies

Binding Corporate Rules

Standard data protection clauses

Codes of Conduct

Certification Mechanism

Contractual Clauses

Question 26

What are the steps of the Transfer Impact Assessment?

Answer 26

1. Know your transfers
2. Identify transfer tools
3. Assess effectiveness of transfer tool (article 46)
4. Adopt supplementary measures
5. Procedural steps to supplementary measures
6. Reevaluate at appropriate intervals

Question 27

What elements must full and valid BCRs include?

Answer 27

Structure and contact details of corporate group
Data transfers, type of data, processing, purposes, data subjects, third party countries
Legally binding nature of BCRs
Application of data protection principles
Rights of data subjects
Acceptance of liability for breaches
Information provision to data subjects
Tasks of Data Protection Officer
Complaint procedures
Verification of compliance with BCRs
Reporting and recording changes to rules
Cooperation with SA
Reporting to SA
Data Protection training