The EDPB adopted its final recommendations on the supplementary measures for data transfers from the EU to a third country in June 2021. The recommendations outlined a six-step roadmap that organizations can use to help support the assessment of the legal system in third countries and the application of the appropriate supplementary measures to ensure an EU level of protection for the personal data being transferred. In a previous installment of this series we took a deeper look at steps one and two of the six-step roadmap; in this second part of the series we unpack steps three and four.

Watch the webinar: Schrems II Solutions: What You Need to Follow the EDPB Recommendations

The EDPB 6 Step Roadmap

Step 3: Assess whether Article 46 GDPR transfer tools are effective in light of all circumstances of the transfer

In the absence of an adequacy decision, Article 46 of the GDPR outlines several transfer tools that offer appropriate safeguards for data exporters to use to transfer personal data to a third country. However, the EDPB outlines in the third step of their final recommendations that organizations must assess the laws and practices of the third country that might impact the effectiveness of the transfer tool they are relying on.

When carrying out a third country assessment, the EDPB highlights considering the specific legal context for your data transfer, including:

  • Purposes of the transfer;
  • Entities involved in processing the data;
  • Sector in which the transfer occurs;
  • Categories of personal data;
  • Location of stored data or the availability of remote access to data stored within the EU;
  • Format of the data;
  • Possibility of onward transfers from the third country to another third country.

When it comes to assessing the legislation of a third country, data exporters, in collaboration with the data importer, are encouraged to evaluate whether the legislation presents any risks such as unrestricted access to personal data by public authorities, as well as examining whether the legislation that meets EU standards on paper is actually applied in practice. Data exporters should also consider whether practices in the third country are necessary and proportionate to safeguard the objectives of a democratic society, such as those outlined in Article 23 of the GDPR, and take into account the practical experience of the importer. If the legislation in the third country is not routinely applied or the practices of the third country do not align with the protections of the transfer tool you are relying on, the EDPB states that you must suspend the transfer until adequate supplementary measures have been implemented.

In a third scenario whereby your data or data importer may fall under the scope of “problematic legislation”, data exporters are given three options: suspend the transfer, apply supplementary measures, or continue the transfer without supplementary measure on the basis that the data exporter can demonstrate that it is reasonable to believe that the “problematic legislation” will not be applied in practice.

How OneTrust Helps: OneTrust DataGuidance Schrems II Portal offers the Third Country Assessment Comparison Chart to help assess and compare third country legislation as well as further resources to help you understand what the CJEU’s judgment may mean for organizations.

Step 4: Adopt Supplementary Measures

If, having completed a third country assessment, it is established that the Article 46 transfer tool you are relying on is ineffective in light of third country legislation and practices, data exporters will need to adopt supplementary measures to ensure a level of data protection essentially equivalent to that found under the EU law level is implemented.

In Annex 2 of the EDPB final recommendations, several supplementary measures that data exporters can adopt are outlined, including:

  • Technical Measures
    • Encryption
    • Pseudonymization
    • Split processing
  • Additional Contractual Measures
    • Contractual obligation to use specific technical measures
    • Transparency clauses
    • Empowering data subjects to exercise their rights
  • Organizational Measures
    • Internal policies for the governance of transfers especially with groups of enterprises
    • Transparency and accountability measures
    • Organization methods and data minimization measures
    • Adoption of standards and best practices

In their final recommendations, the EDPB states that, where appropriate, the data exporter can adopt multiple supplementary measures to ensure a level of essential equivalence. However, it is the responsibility of the data exporter to guarantee that any supplementary measure that is adopted is effective for the specific transfer and that this should be reviewed on a case-by-case basis. There may also be instances whereby no supplementary measures will be appropriate and therefore data exporters must suspend the transfer and consider ending it altogether.

How OneTrust Helps: OneTrust Schrems II Solutions includes pre-built templates based on the EDPB recommendations for supplementary measures to determine the technical, contractual, or organizational supplementary measures that can be adopted.

Further reading on the EDPB Final Recommendations on Supplementary Measures:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on the EDPB’s final recommendations for supplementary measures.