Which contractual and organisational precautions after Schrems II?

Following the European Data Protection Board’s six steps roadmap, data exporters shall assess data transfers to third countries, as we explained earlier.

If the laws in the country of the importer (outside the EEA) do not meet the “European Essential Guarantees” (EEGs), one or more supplementary measures must be adopted (Step 4).

The European Data Protection Board provides non-exhaustive lists of examples of supplementary measures.

Technical measures

As seen earlier, technical measures should be taken.

They can be completed by …

… contractual measures

The EDPB gives as examples:

  • obligation to use specific technical measures,
  • transparency by the exporter about the access to data in its country by public authorities (i.e. questionnaire in an annex to the contract), and about requests of access to personal data by public authorities received over a specified period of time,
  • clauses whereby the importer certifies that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require the importer to create or maintain back doors or to facilitate access to personal data or systems or for the importer to be in possession or to hand over the encryption key,
  • clauses that reinforce the exporter power to conduct audits of the data processing facilities of the importer, on-site and/or remotely, to verify if data was disclosed to public authorities and under which conditions,
  • clauses that strengthen the obligation of the data importer to inform promptly the data exporter of its inability to comply with the contractual commitments and as a result with the required standard of “essentially equivalent level of data protection”,
  • clauses whereby the importer commits to regularly publish (e.g. at least every 24 hours) a cryptographically signed message informing the exporter that as of a certain date and time it has received no order to disclose personal data or the like (“warrant canary” method),
  • the importer can commit to reviewing, under the law of the country of destination, the legality of any order to disclose data and to challenge the order,
  • clauses that oblige the importer and/or the exporter to notify promptly the data subject of the request or order received from the public authorities of the third country, or of the importer’s inability to comply with the contractual commitments, to enable the data subject to seek information and an effective redress,
  • clauses that commit the exporter and importer to assist the data subject in exercising his/her rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling.

A question quickly arises : Do the new SCC’s include all these clauses ? We answer it here.

… and/or organisational measures

  • Internal policies for governance of transfers especially with groups of enterprises.

The EDPB suggests that these policies include, among others, the appointment of a specific team, which should be based within the EEA, composed by experts on IT, data protection and privacy laws, to deal with requests that involve personal data transferred from the EU; the notification to the senior legal and corporate management and to the data exporter upon receipt of such requests; the procedural steps to challenge disproportionate or unlawful requests and the provision of transparent information to data subjects.

  • Transparency and accountability measures:
    • Document and record the requests for access received from public authorities and the response provided, alongside the legal reasoning and the actors involved. These records should be made available to the data exporter, who should in turn provide them to the data subjects concerned where required.
    • Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, insofar publication is allowed by local law.
  • Organisation methods and data minimisation measures.
  • Adoption of standards and best practices.
Our advice:

As such, it is doubtful that contractual and technical measures will be sufficient to ensure an adequate level of protection. In our opinion, they should complete technical measures.

Lexing’s Privacy and Data Protection Department is at your disposal to assist you in the compliance of your international data transfers, including assisting you in setting up the appropriate supplementary measures.

You can also review our webinar on the subject here.

from Fanny Coton , Thomas Espeel

Any queries?

Contact us