The recent ruling of the Court of Justice of the European Union (CJEU) in DPC v Facebook Ireland, Maximillian Schrems (Schrems II) and guidance from the EDPB has confirmed that transfers from Europe and the UK to third countries under SCCs and other approved transfer mechanisms will only be valid if the data exporter can verify, on a case by case basis, that the level of protection provided to the personal data following the transfer is essentially equivalent to and does not undermine the level of protection guaranteed to data subjects under EU law including the GDPR, ensuring the safeguards offered by the exporter provide enforceable legal rights and effective legal remedies for data subjects. Where relevant, additional safeguards may be required to mitigate any potential shortfalls in the levels of protection offered.
The global Data Protection, Privacy & Security team at DLA Piper have designed a standardised data transfer methodology to help data exporters and importers logically assess the safeguards available when transferring personal data to particular third countries and whether they are adequate. The methodology includes a five step assessment process, comprising a proprietary scoring matrix and weighted assessment criteria to help manage effective decision making. It is fully aligned to latest requirements of EU data protection law following the CJEU ruling in Schrems II. The model takes into account key relevant factors including:
- the regulatory regime in the countries where the data exporter and importer are respectively based;
- the nature of, and purposes for which, the data that are being transferred;
- the extent to which the laws in the destination country provide appropriate protection to data subjects, taking account of:
- the safeguards offered by local data privacy laws;
- the risks posed by wider laws authorising public authorities to access or conduct surveillance on private information for national security or other reasons – recognising laws in some of these areas are likely to be apply to specific sectors only;
- the ease of access to judicial process to protect personal rights;
- the role of local regulators and supervisory authorities in protecting data;
- the ability of individuals to raise complaints, appeal and enforce decisions;
- the impact of relevant international treaties and related commitments;
- any additional safeguards applied to the proposed transfer arrangements – whether due to additional contractual clauses, industry specific protections, or specific technical and organizational controls;
- the residual risk to a data subject.
The assessment is designed to provide an auditable report to support decision making as to whether, on a case by case basis, sufficient safeguards are in place to be able to proceed with a transfer. The DLA Piper team will regularly review and, where appropriate, enhance the assessment model to ensure it reflects latest regulatory guidance.
For further information please contact any member of the DLA Piper
Data Protection, Privacy and Security team at firstname.lastname@example.org
Further Schrems II resources: