In the absence of an adequacy decision (i.e. when a country, a territory, one or more specified sectors within that third country, or an international organisation outside the EEA is not recognised by the European Commission as offering an adequate level of protection), transfers to a third country can take place, if the data exporter has implemented “appropriate safeguards”.
Article 46 of the GDPR provides for the following appropriate safeguards (or “transfer tools”):
- standard contractual clauses,
- binding corporate rules,
- codes of conduct,
- certification mechanisms and
- specific safeguards for transfers between public authorities or bodies.
It is only in the absence of such appropriate safeguards that the data exporters could use the derogations provided for in Article 49 of the GDPR[1].
Pursuant to the principle of accountability,[2] the controller must be able to present one of the appropriate safeguards listed above on which it relies upon for the data transfer to a country outside the EEA or to an international organisation when requested to do so by the CNPD (for example, in case of a control or audit).
In this context it is important to mention, that the so called “Schrems II” judgement of the Court of Justice of the European Union[3] clarified, that it is not sufficient to demonstrate the implementation of the appropriate safeguards listed under article 46 of the GDPR. Data exporters (controllers and processors) relying on appropriate safeguards to carry out transfers of personal data to third countries must assess whether any supplementary measures to those required by the appropriate safeguards are necessary.
The data exporter needs therefore to verify, prior to any transfer, on a case-by-case basis whether the selected transfer tool or appropriate safeguard is effective in ensuring that the level of protection granted by the GDPR is not undermined by the transfer in question. In particular, the data exporter has to assess whether the legislation and/or practice in the third country to which the data is transferred may affect in practice the effectiveness of the selected transfer tool in his specific case, i.e. if it prevents the data importer to comply with its obligations provided by the transfer tool. If this so-called transfer impact assessment reveals that the selected transfer tool does not ensure in practice that the data subject are afforded a level of protection essentially equivalent to that which is guaranteed within the European Union, the data exporter has to verify, if need be with the help of the data importer, whether any supplementary measures exist (of technical, additional contractual or organisational nature), which could allow the transfer tool to be efficient to ensure an essentially equivalent level of protection to the data transferred to third countries. If such supplementary measures exist, they have to be implemented or otherwise the transfer has to be suspended and /or stopped.
The EDPB adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data[4], which aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures. These recommendations contain a six-step approach to the transfer impact assessment, which are illustrated in the following roadmap for the assessment of the compliance of the transfers with the provisions of the article Chapter V of the GDPR.
[1] See section 3.5 below.
[2] Article 5, paragraph 2 of the GDPR.
[3] Court of Justice of the European Union, 16 July 2020, Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, case C-311/18.
[4] European Data Protection Board (EDPB), Recommendations 01/2020 of 18 June 2021 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (version 2.0).
