On June 18, 2021, the EDPB adopted its final recommendations on supplementary measures for transferring data to a third country to help data exporters maintain compliance with EU data protection law. One of the central themes in the EDPB’s final recommendations was accountability in data transfers and a six-step roadmap is outlined to assist organizations with the assessment of third countries, and identifying and implementing appropriate supplementary measures to be able to legally transfer data outside the EEA. In this series, we will take a closer look at each step of the roadmap, what it means for organizations, and how OneTrust can help.

Register for the webinar: Schrems II Solutions: What You Need to Follow the EDPB Recommendations on July 1 at 10 AM ET

The EDPB 6 step roadmap

Step 1: Know your transfers

The first step in the EDPB’s Roadmap is thoroughly knowing your data transfers. This means understanding exactly where your organization is sending data in order to be able to uphold accountability obligations under the GDPR and ascertain whether supplementary measures are necessary for the transfer. The EDPB suggests that organizations first consult their Article 30 Records of Processing Activities as a foundational block for mapping international data transfers. Mapping and recording data transfers can allow organizations to ensure they are protecting the data with the appropriate safeguards as well as highlighting any data protection gaps in their transfer activities that require remediation before a transfer takes place. More importantly, the EDPB highlights that “knowing your transfers is an essential first step to fulfill your obligations under the principle of accountability.”

Further to Article 30 records, the EDPB highlights that information provided to data subjects under Article 13 regarding the intention to transfer personal data to a third country can also help in accurately mapping your data transfer activities. It is also important to take notice of potential onward transfers from processors to sub-processors in third countries as well as the data minimization principle, and the location of cloud service provider infrastructure.

How OneTrust Helps: OneTrust Data Mapping Automation allows you to generate up-to-date records of processing activities as well as data flow visualizations. By leveraging the OneTrust solution, organizations can automatically generate data lineage reports and cross-border maps to assist with understanding and documenting your data transfer mechanisms and cross-border data flows in line with EDPB recommendations.

Step 2: Identify the transfer tools you are relying on

After mapping your data transfers, the EDPB recommends identifying the transfer tools that each transfer activity relies upon to be lawful under the GDPR. Chapter V of the GDPR outlines the appropriate tools for transferring data to a third country which includes adequacy decisions, appropriate safeguards, and derogations.

Adequacy Decisions are approved by the European Commission to recognize that a third country offers an adequate level of protection for personal data. European Commission adequacy decisions can cover data transfers to a whole country or individual sectors – for example in Canada where the adequacy decision only applies to the commercial sector. An adequacy decision means that personal data can lawfully flow from the EU to the third country without the need for additional safeguards.

Countries currently considered adequate by the European Commission include Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, UK, and Uruguay.

In the absence of a European Commission adequacy decision, appropriate safeguards outlined in Article 46 of the GDPR can be used by data exporters to help ensure that the personal data subject to transfer will have an essentially equivalent level of protection.

Article 46 transfer tools include:

• Standard Contractual Clauses (SCCs);
• Binding Corporate Rules (BCRs);
• codes of conduct;
• certification mechanisms; and
• ad hoc contractual clauses.

Finally, the EDPB states that, in the absence of both an adequacy decision and appropriate Article 46 safeguards, personal data can be transferred to a third country if it meets one of the derogations highlighted in Article 49 of the GDPR. This includes having the explicit consent of the data subject for the proposed transfer or if the transfer is necessary for the performance of a contract between the data subject and the controller. It is important to note the EDPB stresses that Article 49 has “an exceptional nature” and must be interpreted narrowly.

How OneTrust Helps: OneTrust Schrems II Solutions includes tools to help verify the mechanisms that your organization is relying on for each transfer as well as offering pre-built templates to determine the technical, contractual, or organizational supplementary measures that can be adopted in line with the EDPB’s final recommendations.

Register for the webinar: Schrems II Solutions: What You Need to Follow the EDPB Recommendations on July 1 at 10 AM ET

Related resources for the EDPB’s Final Recommendations: 

• European Data Protection Board: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
• OneTrust DataGuidance News:  EU: EDPB adopts final version of recommendations on supplementary measures
• OneTrust DataGuidance Webinar: Schrems II Fallout Continued: Finalised EDPB Recommendations Released

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on the EDPB Final Recommendations.