What impact does Schrems II have on transfers of personal data by your company?
What you need to know.
Did you know that on January 28, 1981, Convention 108, the Council of Europe's first legally binding international instrument in the field of data protection, was opened for signature? Since 2007, this has been the date on which we celebrate International Data Privacy Day! An ideal moment to look back at one of the past year’s most important developments in terms of data protection: the long-awaited Schrems II judgment of the European Court of Justice on the transfer of personal data outside the EEA.
On July 16, 2020, the Court of Justice declared the EU-US Privacy Shield to be invalid. The Court is of the opinion that the EU-US Privacy Shield offers too few guarantees to data subjects for the protection of their personal data in the US, in particular due to excessive interference by the US government. In concrete terms, this means that all transfers of personal data to the US based on the EU-US Privacy Shield have since become invalid.
Your company does not transfer personal data to the US? Keep reading nevertheless! Although the Court only declared the EU-US Privacy Shield to be invalid, it also ruled that from now on a « data transfer impact assessment » must be conducted for any transfer outside the EEA. Thus, the judgment has an impact on any company that transfers personal data outside the EEA, regardless of the mechanism invoked by the company. Do not forget that, since Brexit, transfers to the UK are also in principle considered to be transfers outside the EEA (although the EU-UK Trade and Cooperation Agreement still provides for an exception to this until at least April 30, 2021).
What you need to do.
First of all, you have to identify all transfers of personal data outside the EEA. This also includes the mere storage of personal data with parties located outside the EEA. Then you must determine which mechanism your company can rely on for the transfer. This is nothing new. The Schrems II judgment makes it clear that you must also perform a data transfer impact assessment.
If one of the adequacy decisions of the European Commission applies to the third country, your company does not have to take any further steps (with the exception of monitoring the validity of the adequacy decision). In such a case, the European Commission has already carried out the data transfer impact assessment. The data transfer impact assessment also stops here if your company invokes one of the grounds for exception provided for in Article 49 of the GDPR for occasional transfers.
If, on the other hand, your company uses the European Commission's Standard Contractual Clauses or has adopted binding corporate rules for intra-group transfers, you should always verify that the laws and practices of the third country do not undermine the effectiveness of the contract/the rules and, if necessary, take additional measures to protect the personal data transferred to the third country. In this regard, the EDPB recently published guidelines to assist companies in carrying out this analysis. For example, you need to check whether the data subjects can effectively exercise their rights in such third country, whether there is legislation in place that regulates the access of public authorities to personal data, and whether an independent data protection authority is active. The guidelines provide relevant information sources for this analysis. If the data transfer impact assessment shows that the legislation of the third country impairs the effectiveness of the transfer mechanism you are invoking, you must stop the transfer or provide for additional safeguards. The guidelines offer several examples of additional measures that can be taken.
It is advisable to document the data transfer impact assessment of each transfer in a central document, in case a data protection authority has any questions about this.
Finally, you still have some time for transfers to the UK. The transfer of personal data is still possible at least until April 30, 2021 without additional measures. This transition period can be extended by another two months and should give the European Commission enough time to determine whether an adequacy decision can be adopted for the UK. If there is no (timely) adequacy decision, your company will henceforth have to rely on a different mechanism (including data transfer impact assessment) or invoke one of the grounds for exception.
2021 therefore promises to be an interesting and exciting year for data protection as well!
Please consult our website or contact one of our team members if you have questions or require more information:
Wetboek van vennootschappen en verenigingen - Herziene editie / Code des sociétés et des associations - Edition révisée