As the world becomes increasingly interconnected and businesses continue to expand globally, the need to transfer personal data outside the EU has become more prevalent. Most companies must process personal data to conduct their operations, so it is crucial that they follow specific guidelines to ensure compliance with General Data Protection Regulation (GDPR) and other EU data protection laws.
The ruling of the Court of Justice of the European Union (CJEU) in the case of Schrems II and guidance by the European Data Protection Board (EDPB) set the course for international data transfers.
Here are the 10 most important steps that businesses need to follow when transferring personal data outside the EU:
1. Identify the legal basis for the transfer
Businesses must first determine the legal basis for transferring personal data outside the EU. This could include the performance of a contract, compliance with a legal obligation, or the overriding legitimate interests of the business.
2. Obtain consent
In some cases, it may be necessary to obtain the explicit consent of individuals before transferring their personal data outside the EU. It is especially important for sensitive data, such as health or financial information.
3. Use approved transfer mechanism
There are several approved mechanisms that businesses can use to transfer personal data outside the EU, including standard contractual clauses (SCCs), binding corporate rules (BCRs), and codes of conduct.
Also, there are countries where the EU Commission determined the level of data protection as equivalent to that provided by EU law (e.g. for Canada or Japan). It is important to choose the appropriate mechanism based on the specific circumstances of the transfer.
4. Assess the risks
Before transferring any personal data outside the EU, businesses must assess the risks associated with the transfer via a Transfer Impact Assessment (TIA). A TIA is a crucial step in the process of transferring personal data outside the EU. It involves analysing the potential risks associated with the transfer and determining the appropriate measures to mitigate those risks.
That includes evaluating the laws and practices of the destination country, the type of data being transferred and the potential impact on individuals, including any additional safeguards that may be needed.
5. Implement appropriate safeguards
Businesses must implement appropriate (additional) safeguards to protect the data, if the TIA determines risks associated with the data transfer. This can include standard contractual provisions, technical measures such as encryption or organizational rules (e.g. access rights).
6. Enter into data processing agreements
If the personal data is being transferred to a third party for processing, it is essential to enter into a data processing agreement that clearly outlines the responsibilities and obligations of both parties. The SCCs contain all relevant provisions to comply with the requirements regarding commissioned data processing, i.e. no additional agreements would be necessary if the SCCs are used as a transfer tool.
7. Use encryption and other security measures
Encrypting personal data and implementing additional security measures can help to protect it during the transfer process. Businesses should ensure that they have adequate security measures in place to prevent unauthorized access to personal data.
8. Document the data transfer
Businesses must keep records of their personal data transfers outside the EU, including the purpose of the transfer, the type of data being transferred, and the mechanism used for the transfer.
9. Inform individuals
Individuals have the right to be informed about the transfer of their personal data outside the EU. It includes providing them with information about the destination country, the purpose of the transfer, and the safeguards in place to protect their data. This is usually done via privacy notices on websites or in apps.
10. Conduct regular reviews
It is important to regularly review and monitor the transfer of personal data outside the EU to ensure that it is still compliant with EU data protection laws. This points to re-assessing the risks, the appropriateness of the transfer mechanism, and the effectiveness of the safeguards in place.
This also means staying up-to-date on developments in EU data protection laws and guidance from the EDPB, as these may impact the transfer of personal data outside the EU. If reviews reveal gaps, update policies or procedures accordingly.
By following these 10 steps, businesses can ensure that their data transfers outside the EU are conducted in a manner that protects the personal data of their customers as well as employees and complies with EU data protection laws.
How can DataGuard help?
With DataGuard, not only you have access to our in-house team of privacy and security specialists but also to our web-based platform. There, you can manage your records and privacy notices for international data transfers and your third-party processors.
At the same time, our experts support you in conducting a TIA, finding the proper legal bases for your transfers and consulting you on appropriate safeguards to keep your cross-border data flows privacy compliant.
As we regularly participate in conferences and exchange with authorities, our experts are always up-to-date and flag new developments regarding international data transfers in the respective jour fixe meetings.
Want to learn more about international data transfers? Get in touch with our in-house experts at DataGuard today.
