In a significant proportion of data processing activities carried out by companies, situations arise where data is transferred to a data processor established outside the European Union. This may be the case, for example, where the subsidiary is based in Hungary, while the parent company is headquartered in the United States, or where a company simply engages a foreign data processor for marketing purposes, such as MailChimp.
In the case of the United States, however, the Privacy Shield, which guaranteed the security of data processing activities, has been invalidated. This raises the question of what tools can be used going forward to ensure data processing carried out in the United States.
The judgment of the Court of Justice of the European Union dated 16 July 2020 invalidated the decision on the EU-US Privacy Shield.
From the perspective of the United States, the Privacy Shield qualified as an adequacy decision, and as a result of its invalidation, data controllers may now rely on the following tiered options:
- without the authorisation of the supervisory authority, but with its approval,
- binding corporate rules,
- standard data protection clauses adopted by the Commission,
- codes of conduct,
- certification mechanisms,
- as well as, with the authorisation of the supervisory authority, data transfers based on contractual provisions concluded between the controller and the processor.
Below, we explain these options in slightly more detail.
Binding corporate rules regulate data transfers between members of a corporate group. In this case, the data transfer would take place in a manner approved by the national data protection authorities. These rules may be applied if they are legally binding on all relevant members of the corporate group, or of the group of undertakings engaged in a joint economic activity, and if they expressly provide for the enforceable rights of data subjects in relation to the processing of their personal data, while also meeting certain further requirements.
The next option is the application of standard data protection clauses adopted by the Commission, which may not necessarily provide a secure basis for protection, as there is no official examination of the level of protection provided by the third country. Therefore, the data exporter is responsible for assessing whether the legal system of the third country provides adequate protection, what risks the data transfer entails, and must also be able to substantiate these findings.
Codes of conduct regulate certain data protection issues and help apply the provisions of the GDPR in accordance with the specific needs of undertakings, while certification mechanisms are intended to demonstrate that controllers’ procedures comply with the safeguards set out in the GDPR.
If none of the above options can be applied, the GDPR temporarily provides protection for data transfers in the following cases, provided that one of the following conditions is met: the data subject has given consent despite being informed of the risks, or the data transfer is necessary for the performance of a contract between the data subject and the controller, or it is important for the protection of the vital interests of the data subject, or the data originates from a register intended to inform the public.
As we can see, in the current situation there is no unified regulation that would ensure the processing of personal data originating from the EU in a third country. In such cases, the appropriate procedure is for the controller to examine the processor’s GDPR compliance and, based on an individual assessment taking the risks into account, decide whether it wishes to transfer the processed data to a third country.
As a resolution to the current uncertain situation, the European Data Protection Board provided guidance in its Recommendation No. 1/2020. According to this, the controller must verify that the data transfer is appropriate for the purpose of the processing and is limited to what is necessary. It must select a transfer mechanism equipped with appropriate safeguards, and then examine whether the law of the third country undermines the safeguards contained therein. If the selected data protection mechanism does not in itself ensure a level of protection compliant with the GDPR, it must be supplemented with further measures, such as technical, organisational or additional contractual measures.
Whichever option controllers choose, the most important point is that personal data should only be transferred to a third country if the processor has provided appropriate safeguards, and if enforceable rights and effective legal remedies are also available to data subjects.