In our last newsletter we addressed the “Schrems II” privacy case, in which the European Court of Justice put an end to the EU-US Privacy Shield: the agreements between the EU and the USA on the basis of which companies were allowed to transmit personal data from the EU to the USA. The Court of Justice maintained the possibility of transmitting personal data to the USA by using model contracts. In that case, however, there must also be an equivalent level of protection in practice.

To help personal data processors safeguard an equivalent level of protection, the European Data Protection Board (“EDPB”) has now drawn up a set of recommendations and measures that companies may use when exchanging personal data with third countries (countries that are not EU Member States). The recommendations are currently subject to consultation and will then be definitively adopted. The draft recommendations nevertheless already provide a good impression of the measures that may be taken.

The EDPB’s main recommendations and measures are addressed below:

1. 1. Identify the processes in which personal data are or must be exchanged with third countries.
   2. Establish whether the European Commission has already made an adequacy decision on the basis of which the transmission of personal data to the third country or area is permitted. If that decision is still valid, no further measures will be needed. If no adequacy decision is in place regarding the country in question, another instrument referred to in the GDPR must be chosen for the transmission of personal data. The options are the aforesaid model contracts, binding corporate rules or approved codes of conduct or certifications.
   3. If the data is exchanged on the basis of a mechanism other than the adequacy decision, it must be investigated whether laws and regulations are in place in the third country that detract from the level of data protection under the GDPR. Specific attention must be paid to legislation that allows government bodies to access the personal data.
   4. Identify the measures required to safeguard the equivalent level of protection and apply them. This is necessary only if legislation is found to exist that detracts from the efficiency of the instrument on which the transmission of the personal data is based. Examples referred to by the EDPB of measures that can be taken include encryption or pseudonymisation of the personal data. Companies will have to assess in each individual case what measure or combination of measures is required to adequately protect the personal data.
   5. If applicable, take the necessary formal steps (obtaining permission from the supervisory authority) in order to use the chosen means of transmission.
   6. The transmission may take place when these five steps have been taken. Evaluate on a regular basis whether the level of protection is still guaranteed.

The EDPB’s recommendations are open to comments from trade associations, as well as companies. The public consultation will commence in the near future via the EDPB’s website. The final recommendations will be adopted after the consultation.

Do you have any questions about this subject? Please contact Lise van den Heuvel (+31-6-23492248).

This article was published in the Newsletter Vestius of December 2020

Return to overview