Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.
To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.
In this issue, we will describe the legal landscape for transfers of personal data under the GDPR and provide guidelines for companies on how to implement a compliant cross-border data transfer strategy.
Transfers of personal data
The GDPR essentially contains the same set of tools as under the current 1995 Data Protection Directive. Some new elements are however provided under the GDPR, the most important being the removal of the requirement to request a prior authorisation to the Data Protection Authority (DPA) for some transfers based on appropriate safeguards such as standard contractual clauses.
A breach of the GDPR data transfer provisions being sanctioned with the maximum level of fines, it is clear that data transfers will remain a major priority for authorities. Companies should therefore carefully review their cross-
Under the current legislative framework, personal data may only be transferred outside the EEA to countries which have been recognised, based on an adequacy decision from the European Commission, as providing an adequate level of data protection. Such countries include Andorra, the Faeroe Islands, Switzerland, Israel, Jersey, Guernsey, Argentina, the Isle of Man, New Zealand, Uruguay and Canada. On the same note, transfers to companies in the US that have self-certified to the standards set out under the EU-US Privacy Shield are accepted.
Transfers to other countries or to companies in the US that have not self-certified to the Privacy Shield may only be done provided that the transferor can rely on specific derogations listed by the law or adduces specific additional safeguards ensuring an adequate level of protection.
Derogations - Under the Luxembourg data protection law, transfers of data outside the EEA to a country not offering an adequate level of data protection may be authorised if:
• the data subject has given his consent to the proposed transfer; or
• the transfer is necessary
- for the execution of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or
- for the conclusion or execution of a contract concluded in the interest of the data subject between the controller and a third party; or
- for important public interest grounds, or for the establishment, exercise or defence of legal claims; or
- in order to protect the vital interests of the data subject; or
- for the consultation of a public register intended for public information purposes and which is open to consultation either by the public in general or by any person demonstrating a legitimate interest.
These exceptions have to be interpreted in a very strict sense and do not cover transfers of personal data which might be qualified as repeated, mass or structural.
Safeguards - In the absence of an adequacy decision and if none of the above derogations applies, data controllers may still be able to transfer data outside the EEA if they can provide adequate safeguards.
Standard contractual clauses are one way to guarantee such adequate level of protection.
The use of standard contractual clauses (SCCs) approved by the European Commission allows businesses and other organizations to easily fulfill their obligations under the 1995 Directive on data protection, to ensure adequate protection of personal data transferred outside the EU.
It is up to the DPA to verify whether the safeguards and guarantees are sufficient.
The Commission has so far issued standard contractual clauses for transfers from data controllers to data controllers established outside the EEA and from data controllers to processors established outside the EEA.
For multinational groups carrying out a significant number of international transfers, the implementation of Binding Corporate Rules (BCRs), although not explicitly recognized under the current legislation, may be strongly recommended. Such BCRs will be considered as ensuring an adequate level of protection for data transferred outside the European Union.
BCRs are internal rules adopted by a multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. It must be binding and respected by all group entities, regardless of their host countries, as well as all their employees.
BCRS allow to avoid the need to have a multitude of agreements in place for transfers and is a good way for companies to demonstrate to DPAs that data protection is integral to the way they carry out their business.
Such BCRs need to be approved by the DPA identified as the lead authority, which will ensure EU cooperation by circulating the BCRs to the other relevant DPAs i.e. of those countries from where entities of the group transfer personal data to entities located in countries which do not ensure an adequate level of protection. Under the current legislation, even if the BCRs have been approved, individual transfers made under the BCRs will still need to be further authorised by the DPA as described below.
Finally, a cross-border transfer may take place on the basis of contracts negotiated between the data exporter and the data importer, “ad hoc clauses”, subject to prior approval from the competent DPA.
Formalities - A prior authorisation from the DPA is required for transfers based on SCCs of the European Commission, ad hoc clauses validated by the DPA and approved BCRs.
A simple notification of the DPA will be necessary for transfers based on the above-listed derogations or for transfers to a company in the US that has self-certified to the Privacy Shield.
Data transfers under the GDPR
Essentially, general restrictions on cross-border data transfers under the GDPR are similar to existing requirements which will remain in place, with the following improvements.
No more prior administrative formalities? The GDPR does not require that transfers be subject to a country-specific authorisation request except for transfers based on ad hoc clauses which have not been approved by a DPA yet.
In line with the above, on 31 August 2016 a law proposal was submitted to the Luxembourg Parliament in order to abolish several authorisation regimes that are currently set out under the data protection law. Namely, a prior authorisation may no longer be required for transfers outside the EEA to countries that do not ensure a sufficient level of data protection if they are based on SCCs or approved BCRs. It has to be noted that transfers based on specific derogations such as prior consent of the data subjects may still need to be notified to the Luxembourg DPA.
The adequacy decisions will be based on clearer requirements and broader standards. They may be made in relation to territories and industry-sectors within a specific country.
Derogations remain essentially unchanged except for the below:
- Consent is now required to be explicit and granted by the data subject after having been informed of the possible risks of such transfer due to the absence of an adequacy decision and appropriate safeguards. Data controllers and/or processors will have to prove that they have duly provided such information, which may impose additional burden on companies that rely on consent as a basis for their cross-border data transfers and may wish to reconsider their international transfers strategy.
- The GDPR introduces a new derogation for a transfer that is not repetitive, concerns only a limited number of data subjects and is necessary for the purposes of compelling legitimate interests pursued by the data controller which are not overridden by the interests or rights and freedoms of the data subject. The controller will need to have assessed all the circumstances surrounding the data transfer and informed the DPA and the data subjects.
This derogation applies as a “last resort” derogation for transfers that cannot be based on an adequacy decision, appropriate safeguards or one of the above-listed derogations. It is however unclear how this transfer mechanism will develop in practice.
Appropriate Safeguards mainly remain unchanged but are extended:
- BCRs are now explicitly recognised under the GDPR which provides clear provisions and procedures for their preparation and approval. Once approved, transfers based on BCRs will no longer need to be authorised by the authority.
- SCCs approved by the Commission are also still considered as appropriate safeguards. The GDPR introduces new safeguards for transfers based on standard data protection clauses adopted by one or more DPAs and approved by the Commission.
- The GDPR also introduces (i) the possibility of cross-border transfers made in reliance with approved Codes of Conduct and (ii) certifications mechanisms.
This will provide organisations with more options while implementing their cross-border data transfers approach.
- Ad hoc clauses and provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights must be approved by the DPA under the GDPR
Adequacy decisions, SCCs issued by the Commission as well as BCRs and contractual ad hoc clauses already approved by the DPA under the current legislative framework will remain valid until amended, replaced or repealed.
It shall be noted that the GDPR makes it clear that a judgement of a court or tribunal and any decision of an administrative body of a third country requiring a controller or processor to transfer or disclose personal data may only be enforceable or recognised if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. This applies without prejudice to other grounds for transfer but may create some difficulties for organisations to comply with orders from courts in third country in the absence of such agreements.
Although the GDPR does not introduce any drastic change in relation to cross-border transfers, the entry into force of the GDPR shall encourage companies to analyse their current data flows and assess the level of protection of personal data currently provided in relation to international transfers and the derogations and/safeguards in place. Organisations may want to implement a new approach with respect to cross-border transfers based on the new safeguards provided under the GDPR.
It is safe to keep in mind that infringements of the provisions relating to data transfers are subject to the maximum level of fines under the GDPR, i.e. administrative fines up to 4 % of the total worldwide annual turnover of the preceding financial year.
- Review and map existing international data flows
- Identify which current legal mechanisms you have in place in order to legitimise such transfers out of the EEA
- Assess whether you could minimise such data flow
- Assess whether the current mechanisms used should be retained or adapted in order to be compliant with the GDPR
- For intra group data transfers, consider whether the adoption of BCRs would be a suitable option