Peter Nordbeck, lawyer, Delphi law firm.
In the ruling, the European Court of Justice struck down the Privacy Shield as a mechanism for transferring personal data to the United States, but ruled that the standard terms of the contract could still be applied. However, the personal data controller should consider whether the law of the recipient’s country guarantees adequate security of the personal data prior to the outsourcing.
At the beginning of June this year, the final version of the EDPB recommendations for the transfer of personal data to countries outside the UEP / EEA was published. The final version of the European Commission’s standard contractual clauses arrived before mid-summer. In addition, in a decision of June 28, the European Commission authorized the transfer of personal data to the United Kingdom.
In autumn 2020, the European Data Protection Board (EDPB) published the first edition of recommendations regarding the transfer of personal data to countries outside the EU / EEA. The European Commission has drawn up proposals for new fixed-term conditions to modify the conditions of the GDPR and take into account the Shrews II judgment.
Below I will comment on the impact they have on the outsourcing of this IT news and services.
In my opinion, the new statute is a reduction in the possibility of transferring personal data to countries outside the EU / EEA in the event of an outsourcing event. Before I comment in more detail, let me first take a look at what the recommendations mean.
EDPB recommendations concerning the transfer of personal data to countries outside the EU / EEA
The first version of the recommendations was criticized during the public consultation as being too strict and impractical. The ETPP took into account the views, in particular on how the law should be assessed in practice in the recipient’s country.
Among the recommendations “Roadmap” Information on what companies, officials and other entities must respect before a transfer to a third country (and in relation to transfers in progress) and what additional protections may be required for a transfer to a third country. third country in accordance with the GDPR.
Various steps to be followed by companies in exchange for third countries:
Identify which exchanges of personal data take place with third countries.
Identify the transfer mechanism in Chapter V of the GDPR (eg: standard contractual clauses),
Examine whether the law or practice of a third country controls the effectiveness of the transfer mechanism;
Identify and take additional security measures if necessary,
Take the practical measures necessary for the application of additional security measures;
Assess the level of security of personal data transferred to a third country at appropriate intervals and monitor whether there are any changes that could affect the level of security.
Examples of additional security measures according to point 4 are the encryption of personal data, for example, the storage of service data provided by a cloud service provider. Another highlighted security measure is the pseudonym of personal data, which means that personal data is not displayed in clear text, but additional data is required to identify the individual. The most important change in the final recommendations is the assessment of the law and the perspective on how the law should be applied in the recipient country. It is no longer “black or white” as in the previous version of the recommendations.
Focuses on how the law and practice in the recipient’s country affects the current transfer of personal data in practice. For example, Section 702 of the US FISA Act explicitly states in the examples given in the recommendations that the US may be permitted to transfer personal data if this does not apply to the transfer in question in practice. Transfer mechanism (eg standard contractual clauses). It is however underlined that the study of the law and the practice of the third country to be carried out must be complete.
Key factors of the study: Whether the data is transmitted in the law and / or practice of the recipient country and / or applicable to the recipient;
Experience and / or related data transfer experience of the outsourcing provider and other related providers in the relevant field;
If the authorities in the recipient’s country have requested access to data such as that of the hijacker;
Whether access to the outsourcing provider was allowed or denied if there was a formal request.
It is emphasized that the information based on the assessment must be relevant, objective, reliable, verifiable and accessible to the public.
As can be seen, significant work needs to be done to document how the laws and practices of the recipient’s country affect the transfer of personal data when it is outsourced. It is appropriate for the outsourcing provider – who has the closest access to the information – to participate in the investigation. To get the right assessment, it is best to contact a lawyer specializing in the law of the recipient’s country. The softening provided by the EDPB in the final version of the recommendations is welcome. In practice, the regulation means that it is still possible to outsource personal data to a country outside the EU / EEA).
However, before the transfer can take place, a careful examination must be carried out to ensure that the law or practice of the recipient’s country, for example, does not restrict the security provided by the terms of the model contract. If the investigation shows that the sections of the fixed contract do not provide adequate protection because the recipient is using the country’s law or practice for similar transfers, additional security measures (step 4) should be taken. New clauses in European Commission fixed-term contracts
The new standard contractual clauses are adapted to the GDPR. Different types of transfers are brought together in a single document and the obligations of the parties are divided into different blocks:
Summary of the news:
- IT contracts and news on data security
- Check out all the news and articles about the latest security updates.
Disclaimer: If you need to update / change this news or article, please visit our help center.
For the latest updates Follow us on googIe New