After the landmark ruling "Schrems II", the European Data Protection Board (EDPB) published its recommendations on data transfers to third countries in November 2020. These recommendations will be key for Swiss companies.
In the Schrems II ruling, the European Court of Justice (ECJ) declared the EU-US Privacy Shield invalid. However, data transfers to a third country (countries outside the EU/EEA) remain possible on the basis of e.g. Standard Contractual Clauses, although supplementary measures may be necessary.
The EDPB, an independent European body that contributes to the uniform application of data protection rules throughout the EU, has addressed the complex task of assessing third countries and identifying appropriate additional procedures, where needed, and has updated its recommendations. These recommendations provide data exporters (controllers or processors) with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.
In summary, six steps that should be followed by companies subject to the GDPR to enable secure and legally compliant data transfers to third countries are set out:
1. Know your transfers: Organizations need to ensure that they are aware of all data transfers, therefore they shall map and document international data flows. In addition, it has to be provided that the transferred volume of data is adequate, relevant and limited to what is necessary.
2. Identify your transfer tools: Determination of the used guarantees on which international data transfers are made. If a data transfer goes to a country with an adequacy decision from the EU, no further measures need to be taken – otherwise supplementary action may be necessary (see step three).
3. Assessment of whether the tools are sufficient: The mere selection of a transfer tool in accordance with GDPR 46 may no longer be sufficient. Companies shall ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer. Therefore, careful considerations shall be made if there is anything in the law or procedures of the third country, which may have an impact on the effectiveness of the appropriate safeguards.
4. Adopt supplementary measures: Should the assessment (step three) reveal that the used transfer tool is not effective, organizations will need to consider on a case-by-case basis which supplementary measures could be suitable. In principle, additional measures may be of contractual, technical or organisational nature. Where there is a risk of access through foreign public authorities, technical measures may inevitably be necessary.
5. Take formal procedural steps to implement said supplementary measures: The steps to implement are not the same for every transfer mechanism. Thus, different actions are needed for the various underlying transfer tools - which are clearly described in the EDPB recommendations (Standard Contractual Clauses, Binding Corporate Rules as well as ad hoc clauses).
6. Re-evaluate at appropriate intervals: The level of protection has to be monitored on a regular basis. Sound review procedures should be in place to ensure a prompt reaction when the transfer tool or the supplementary measures are no longer effective in a third country.
With these six steps, the EDPB sets out clear expectations on companies to ensure GDPR compliance, and these are high. However, it remains still unclear which measures or which combinations of measures may provide sufficient protection after all.
Companies in Switzerland are advised to implement the abovementioned steps in order to design and ensure secure data transfers. Nevertheless, developments in this area still need to be monitored. PwC will be happy to help you control your data flows and implement appropriate support measures so that you can withstand the turbulences following the "Schrems II" ruling safely.