Companies transferring data outside of the European Union received new guidance on safely doing so from the European Data Protection Board this month. This follows a move by the Court of Justice of the European Union to scrap the so-called EU-US Privacy Shield in the summer, which it deemed unsafe.

While the Court also ruled that two other popular types of data transfers remained valid, they would not offer complete protection against data transfer provisions in the General Data Protection Regulation (GDPR).

“Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the European Economic Area,” the guidance says. “The Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent.”

Ensuring protection

The EDPB advises exporters to follow six steps to ensure compliance with GDPR:

  • Know your transfers – by mapping all transfers of personal data to third countries. Exporters must verify that the data they transfer is “adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.”
  • Verify the transfer tool – by using those listed under Chapter V GDPR. If a European Commission decision is in force that has already declared the country, region or sector to which the data is transferred is adequate (through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46), businesses only need to monitor the status of that decision. If no decision is in place, says EDPB, organisations should generally rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive.
  • Ensure the transfer protection is not ineffective – because laws or practices in the third country weaken the safeguards. “You should conduct this assessment with due diligence and document it thoroughly, as you will be held accountable to the decision you may take on that basis,” says the guidance.
  • Adopt supplementary measures – if there are possible weaknesses identified in the transfer country, data exporters need to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.
  • Check any supplementary measures follow the right procedures – by checking Article 46 GDPR for the transfer tool used. That could include consulting the appropriate competent supervisory authority.
  • Re-evaluate – by checking at appropriate intervals the level of protection afforded to the data transferred to third countries and to monitor if there have been or there will be any developments that may affect it. “The principle of accountability requires continuous vigilance of the level of protection of personal data,” says the guidance.

Download the EDPB guidance here.