In this three-part blog series, we take a closer look at the EDPB’s final recommendations on the supplementary measures for data transfers and the six step roadmap. In the first part we looked at steps one and two – knowing your transfers and identifying the transfer tools you are relying on – and in the second we discussed steps three and four – assessing whether your transfer tools are effective in light of all circumstances of the transfer and adopting supplementary measures. In the third and final installment, we will cover the fifth and sixth steps on the EDPB roadmap – the procedural steps if you have identified effective supplementary measures and re-evaluating at regular intervals.
Watch the Webinar: Schrems II Solutions: What You Need to Follow the EDPB Recommendations
The EDPB 6 Step Roadmap
Step 5: Procedural steps if you have identified effective supplementary measures
Having undertaken a third country assessment and identified the effective supplementary measures needed to create an essentially equivalent level data protection for your data transfer, the EDPB states that there may be additional procedural steps to take depending on the Article 46 transfer tool you are relying on.
Standard Contractual Clauses (SCCs)
In the case of adopting supplementary measures alongside SCCs, it is stated by the EDPB that the relevant supervisory authority will not need to be consulted on the basis that:
- the supplementary measures do not contradict the SCCs
- the GDPR-level of protection offered by the SCCs is not undermined
- additional clauses cannot be interpreted in a way that affects the rights and obligations set out by the SCCs
- the unambiguity of the clauses and sufficient levels of data protection are demonstrable
However, the EDPB draws attention to the fact that supervisory authorities continue to have the power to order a review of the clauses. Supervisory authorities will need to be consulted if any of the supplementary measures contradict the original terms of the SCCs or if the original terms require modification to provide a sufficient level of data protection.
Binding Corporate Rules (BCRs) & Ad-Hoc Contractual Clauses
The EDPB calls attention to the CJEU’s judgment in Schrems II being relevant in the case of BCRs and other transfer mechanisms whereby third country legislation may impact the levels of data protection offered by that mechanism. This is due to the transfer tools outlined in Article 46(2) of the GDPR being considered contractual in nature and therefore not binding for public authorities in a third country. In the instance of relying on Article 46(2) transfer mechanisms, the EDPB recommendations call back to the third country assessment whether appropriate supplementary measures can be adopted to provide an essentially equivalent level of data protection.
How OneTrust Helps: OneTrust Schrems II Solutions include multiple tools for your organization to use when assessing the effectiveness of supplementary measures including Transfer Impact Assessment (TIAs) templates and third country research materials.
Step 6: Re-evaluate at appropriate intervals
In the sixth and final step of the EDPB’s roadmap, it is stressed that accountability is an ongoing requirement for organizations under Article 5(3) of the GDPR. Therefore, businesses must put in place the appropriate measures to be able to continually monitor the status of third country legislation and practices in order to ensure that they have sufficient safeguards and supplementary measures in place for their data transfers.
The EDPB also highlights that if the supplementary measures used to safeguard personal during a data transfer are found to be ineffective due to a change in third country legislation, or if the data importer has breached commitments to the transfer tool you are relying on, then there must be appropriate processes in place to “promptly suspend or end transfers.”
How OneTrust Helps: OneTrust Vendor Risk Management tools allow you to monitor and re-evaluate third-party vendor contracts on a regular basis through automated questionnaire responses as well as the ability to generate audit-ready reports and dashboards.
Further reading on the EDPB 6 Step Roadmap:
- OneTrust Blog: EDPB Final Recommendations: The 6 Step Roadmap (Part 1 of 3)
- OneTrust Blog: EDPB Final Recommendations: The 6 Step Roadmap (Part 2 of 3)
- OneTrust Solutions: Schrems II
- OneTrust DataGuidance Blog: The Definitive Guide to Schrems II