Support Centre
Data Transfers
workspace-icon
Back

Data Transfers

The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice.

Following the invalidation of the Privacy Shield, the European Commission and the US agreed in principle on a new European Union - U.S. Data Privacy Framework ('EU-US DPF') in March 2022. Six months later, on 7 October 2022, the White House announced that President, Joseph Biden, had signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which directs the steps that the US will take to implement its commitments under the EU-US DPF.

The EU-US DPF aims to restore the legal basis for transatlantic data flows by addressing concerns expressed by the CJEU in the Schrems II Case, which include U.S. Government access to data and adequate redress mechanisms for EU data subjects.

The Executive Order will now form the basis for the European Commission to begin the process for the issuance of a draft adequacy decision, and to launch its adoption procedure thereafter. However, at the time of writing, a timeline for the process towards a new adequacy decision has not been confirmed and could take up to six months.

See our insight article for a detailed breakdown of the Executive Order and our infographic outlining the timeline of events.

OneTrust DataGuidance's Third Country Assessment Comparison can be used to assess third countries and identify applicable laws, authorities, oversight and redress mechanisms in place when carrying out your Transfer Impact Assessments.

How Does OneTrust Help with Schrems II Challenges?

The Schrems II ruling poses a new set of challenges, as organizations must now find alternative transfer mechanisms. But don’t worry, OneTrust is here to help! With our new free Schrems II Solutions, controllers can leverage OneTrust Vendor Risk Management, Vendorpedia Exchange, Data Mapping, and DataGuidance to identify and validate data transfers.

OneTrust’s Schrems II Solutions support organizations operationalize a range of changes, including:

  • OneTrust Data Mapping: Identify data transfers and the mechanisms they rely upon
  • OneTrust Vendor Risk Management: Assess vendors that rely on SCCs with pre-built validation templates and manage contract updates as well as vendor on-boarding and off-boarding
  • OneTrust Vendorpedia Exchange: Leverage pre-completed vendor assessments and chasing services
  • OneTrust DataGuidance Regulatory Research: Stay up to date on the latest Schrems II guidance

Processors can also find the support that they need to operationalize the Schrems II decision. OneTrust Schrems II Solutions help processors implement holistic privacy programs, allowing them to track the relevant guidance and implement compensating controls for GDPR equivalency.

Data Transfer Restrictions

Data Transfer Restrictions

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.
    title
  • Law
  • Restriction
  • Exemptions
  • Localisation Requirement
  • Regulatory Guidelines
  • Transfers Note
  • Afghanistan
    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Albania
    • According to Article 8(1) of the Law, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by decision of the Office of the Information and Data Protection Commissioner ('IDP'), are restricted.

    • According to Article 8(2) of the Law, data transfers are permitted when: 

      1. it is authorised by international acts ratified by the Republic of Albania and are directly applicable;
      2. the data subject has given his/her consent for the international transfer;
      3. the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in addressing the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject;
      4. it is a legal obligation of the controller;
      5. it is necessary for protecting vital interests of the data subject;
      6. it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right; or
      7. the transfer is done from a register that is open for consultation and provides information to the general public.

      In cases other than those provided above, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorisation from the KMDP. Consideration is also given to states which have ratified Convention 108.

    • No further information.

    • Guidelines on international data transfers issued by the Office of the Information and Data Protection Commissioner ('IDP') (only available in Albanian here).

    • No Transfers Note currently available.

  • Alberta
    • AB PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'sharing personal information with another entity.' According to Section 19 of AB PIPA, an organisation may disclose personal information only: 

      1. for purposes that are reasonable for meeting the purposes for which the information is disclosed; or 
      2. with the consent of the individual.
    • According to Section 20 of AB PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. a reasonable person would consider that the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; 
      2. the disclosure of the information is required by law; 
      3. to a public body, debt collection agency or other organisations; 
      4. the disclosure is for the purposes of contacting the next of kind or a friend of an injured, ill or deceased individual; the disclosure of the information is reasonable for the purposes of an investigation or legal proceeding or for the purposes of the prevention, detection or suppression of, fraud, and the information is disclosed to an organisation that is permitted or otherwise empowered to carry out any of those purposes; 
      5. the disclosure of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
      6. the information is publicly available, as prescribed or otherwise determined by the regulations; or 
      7. the disclosure is in accordance with Section 20.1, 21 or 22 (see below). 

      Under Section 21(1) of AB PIPA, an organisation may disclose personal employee information about an individual without the consent of the individual if the information is disclosed solely for the purposes of (a) establishing, managing or terminating an employment or volunteer-work relationship, or (b) managing a post-employment or post-volunteer-work relationship, between the organisation and the individual. The disclosure must also be reasonable for the particular purpose for which it is being disclosed, and, in the case of an individual who is a current employee of the organisation, the organisation has, before disclosing the information, provided the individual with reasonable notification that his/her personal information is going to be disclosed and of the purposes for which the information is going to be disclosed. 

      Additionally, it can disclosure personal information about an individual who is a current or former employee of the organisation to a potential or current employer of the individual without the consent of the individual if: 

      1. the personal information that is being disclosed was collected by the organisation as personal employee information; and 
      2. the disclosure is reasonable for the purpose of assisting that employer to determine the individual's eligibility or suitability for a position with that employer. According to Section 22, personal information may be disclosed for the purposes of a business transaction, if: 
        1. the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction; and 
        2. the information is necessary: for the parties to determine whether to proceed with the business transaction; and if the determination is to proceed with the business transaction, for the parties to carry out and complete the business transaction.
    • No further information.

    • Official Guidelines on the general application of AB PIPA issued by the Office of the Information and Privacy Commissioner in November 2008 and Official Guidelines on collection, use and disclosure of personal information under AB PIPA issued by the Office of the Information and Privacy Commissioner of Alberta in 2009.

  • Algeria
    • Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) ('the Law')

    • Data controllers cannot transfer data abroad unless it has obtained authorisation from the Algerian data protection authority and the recipient country provides an adequate level of protection for the persons affected by the transfer. In addition, it is prohibited to transfer personal data if such transfer poses a danger for the vital interests of the State or public security (Article 44 of the Law). 

    • In cases where the recipient country is not recognised as providing adequate protection and the Algerian data protection authority has not authorised the transfer, as required by Article 44 of the Law, the data controller can transfer personal data if:

      • the data subject has expressly consented to such transfer;
      • the transfer is necessary for, among others, protecting the health of the data subject, safeguarding the public interest or the execution of a contract between the data subject and the data controller;
      • the transfer takes place pursuant to a bilateral or multilateral agreement to which Algeria is party; or 
      • under the authorisation from the Algerian data protection authority, the processing falls under Article 2 of the Law.
    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Andorra
    • According to Articles 35 and 36 of the Act, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by either the European Commission or the Andorran data protection authority ('APDA'), are restricted.

    • According to Article 37, data transfers are permited when: 

      1. made with the unequivocal consent of the interested party; 
      2. made in accordance with international conventions of which the Principality Andorra is a party; 
      3. made for the purposes of international legal assistance, or for the recognition, exercise or defence of a right in the context of legal proceedings; 
      4. made for medical prevention or diagnosis, health care, social prevention or diagnosis or for the vital interest of the interested party; 
      5. made for the purpose of bank remittances or transfers of money; 
      6. necessary for the establishment, execution, fulfilment or control of legal relationships or contractual obligations between the interested party and the file manager; 
      7. necessary to preserve the public interest; or 
      8. concerned with data taken from public registries or is made in compliance with the functions and purposes of the public registries.
    • No further information.

    • Guidelines on international transfers issued by the Andorran data protection authority ('APDA') (only available in Catalan here).

    • No Transfers Note currently available.

  • Angola
    • Law No. 22/11 on the Protection of Personal Data ('the Law') (only available in Portuguese here).

      Please note that the Agency for the Protection of Personal Data has not yet been established.

    • According to Section 33 of the Law, data transfers are prohibited to countries that do not ensure an adequate level of protection. The adequacy must be assessed by the National Database Protection Agency ('APD').

    • According to Section 34 of the Law, data transfers are permitted when: 

      1. The data subject has given his/her unequivocal, express and written consent; 
      2. The transfer is required by an international treaty to which the Republic of Angola is a party; 
      3. The transfer is necessary for humanitarian reasons; 
      4. The transfer is necessary for the performance of contract of for precontractual measures; 
      5. The transfer is necessary for the performance of a contract between the data controller and a third party, which is in the interest of the data subject; 
      6. The transfer is necessary for legal obligations or for legal actions; 
      7. The data subject cannot give his/her consent and the transfer is necessary for his/her vital interest; 
      8. The data are included in a publicly available source; and 
      9. If the recipients are bound by contractual agreements to ensure the same level of protection. Data transfers are also allowed when a company has internal rules ensuring the protection of data.
    • No further information.

    • The APD has not yet released any guidelines on data transfers specifically. However, in its guidance on data processing notifications (only available in Portuguese here), the APD highlights that, regarding data transfers, organisations must indicate whether the data is sent outside of Angola. If so, organisations must indicate the country, entity, data type and the respective legal basis.

    • No Transfers Note currently available.

  • Antigua and Barbuda
    • Under Section 2 of the Act, disclosure of personal data by transmission, transfer, dissemination or otherwise making it available falls under the concept of processing. Section 5(1) further states that personal data cannot be processed unless the data subejct has given his/her consent.

    • According to Section 5(2) of the Act, data may be processed without consent for the following purposes: 

      1. for the performance of a contract to which the data subject is a party; 
      2. for the taking of steps at the request of the data subject with a view to entering into a contract; 
      3. for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; 
      4. in order to protect the vital interests of the data subject; 
      5. for the administration of justice; or 
      6. for the exercise of any functions conferred on a person by or under any law.

       

      Moreover, such processing is subject, under Section 5(3) of the Act, to the requirement that it is processed for a lawful purpose directly related to an activity of the data user, that it is necessary for or directly related to that purpose, and that the personal data is adequate but not excessive in relation to that purpose.

    • International Foundations Act 

      According to Article 36 of the International Foundations Act 2007, the minutes of each council meeting shall be kept at the registered office of the foundation and shall be open to inspection by the founder, any foundation council member, any beneficiary, the Court or the Financial Services Regulatory Commission.

    • No further information.

    • No Transfers Note is currently available.

  • Argentina
    • Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act') and Decree No. 1558/2001 Regulating Act No. 25.326 ('the Decree')(only available in Spanish here).

      Please note that a draft data protection amendment bill is currently being reviewed by the Government (only available in Spanish here).

    • Section 12(1) of the Act states that the transfer of any type of personal information to countries or international or supranational entities that do not provide adequate levels of protection is prohibited. 

    • Under Section 12(2) of the Act, the prohibition does not apply in the following circumstances:

      1. international judicial cooperation;
      2. exchange of medical information, when so required for the treatment of the affected party, or for an epidemiological survey, provided that the data has been anonymised;
      3. stock exchange or banking transfers, to the extent thereof, and in pursuance of the applicable laws;
      4. when the transfer is arranged within the framework of international treaties which the Argentine Republic is a signatory to; or
      5. when the transfer is made for international cooperation purposes between intelligence agencies in the fight against organised crime, terrorism and drug-trafficking.

       

      In addition, Section 12 of the Decree authorises transfers where express consent has been granted by the data subject. It also states that consent is not required when data is transferred from a public registry that is legally constituted to provide information to the public and is open for consultation by the general public or by any person who can demonstrate a legitimate interest, provided that the legal and regulatory conditions for consultation are complied with in each particular case.

      The Argentinian data protection authority's ('AAIP') Regulation 60 – E/2016 on international data transfers listing the countries to which transfers are permitted (only available in Spanish here) ('the International Transfers Regulation'). Moreover, the International Transfers Regulation contains two model contracts that can be used for international data transfers to countries that do not provide adequate levels of protection; one must be used for transfers between data controllers, and the other must be used for transfers to data processors.

    • No further information.

    • The AAIP's guidance on cross-border data transfers (only available in Spanish here).

      The AAIP's guidelines on Binding Corporate Rules (only available in Spanish here).

       

  • Armenia
    • Article 26 and 27 of the Law state that personal data may be transferred to a third party or to another state with the data subject's consent, where it is required for by law and the state has an adequate level of data protection, or where the transfer of data stems from the purposes of processing personal data and/or is necessary for the implementation of these processes. The transfer of biometric or special category personal data needs to be notified to the Personal Data Protection Agency ('the Agency').

    • Article 26(2) of the Law states that special category personal data can be transferred to third parties without the data subject's consent, where the data processor is considered a processor of special category personal data prescribed by law or an interstate agreement, the transfer of such information is directly provided for by law and has an adequate level of protection, or the transfer od data is to protect the life, health, or freedom of the data subject. 

      Moreover, according to Article 27(3) of the Law, personal data can be transferred to a state not providing adequate data protection by the permission of the Agency, where the personal data are transferred on the basis of an agreement with appropriate safeguards approved by the Agency as providing adequate protection.

    • Government Decree No. 1521-N of 26 December 2013 on Approving Minimum Requirements for Official Websites of the Internet Network (only available in Armenian here) establishes data localisation requirements for the official websites of governmental agencies.

    • No further information.

  • Aruba
    • National Ordinance of May 19, 2011 Laying Down New Rules for the Protection of Privacy in Connection with the Recording and Dissemination of Personal Data ('the Ordinance') (only available in Dutch here).

    • DataGuidance confirmed with Daniel Rasmijn, Attorney at HBN Law, that data transfers must comply with the conditions contained in Article 9 of the Ordinance if they are to be lawful:

      1. the transfer is necessary in connection with the purpose of the data recording;
      2. insofar as necessary based on legislation;
      3. if the data subject has granted their consent;
      4. in the interest of academic research, statistics or other urgent reasons, if certain specific conditions are met.

      Moreover, Article 24(2) of the Ordinance establishes a prohibition to transfer data from Aruba to a foreign country if the Ordinance is not applicable and the Minister of Justice has declared that such a transfer would be harmful to the privacy of data subjects.

    • DataGuidance also confirmed with Daniel Rasmijn that there are no exemptions that allow an international data transfer once the Minister has declared that it would harm privacy rights.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • Australia
    • Privacy Act 1988 No. 119, 1988 (as amended) ('the Act')

    • Principle 8 of the Act provides that the cross-border use or disclosure of data can happen only when the entity, which wants to transfer the data, has taken such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles ('APP') (other than Australian Privacy Principle 1) in relation to the information. In addition APP entities that disclose personal information outside Australia are liable under The Notifiable Data Breaches scheme, and must notify eligible data breaches while the information is under the APP entity control.

    • According to Principle of 8 of the Act, an entity does not have to take the reasonable steps when: 

      1. The recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; 
      2. The entity expressly informs the individual that if he/she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure; after being so informed, the individual consents to the disclosure; 
      3. The disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; 
      4. A permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by an entity covered by the APP; 
      5. The entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or 
      6. The entity is an agency and both of the following apply: the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.
    • There are currently no statutory localisation or residence requirements for personal information. However, certain health information cannot leave certain States (e.g. NSW, Victoria and ACT) unless the discloser is satisfied they are going to a place with similar health information privacy laws. In particular, Section 77(1) of the Personally Controlled Electronic Health Records Act 2012 ('PCEHR') notes that operators which are subject to PCEHR are not required to hold or take records outside Australia.

      Exemptions

      Such operators are exempted from this restriction, provided that the records do not include personal information in relation to a consumer or participant in the PCEHR system or identifying information of an individual or entity.

      A mandatory comprehensive credit reporting regime is currently being considered in the form of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019, which includes a localisation requirement. 

  • Azerbaijan
    • Law of 11 May 2010 No. 998-IIIQ on Personal Data (only available in Azerbaijani here) ('the Personal Data Law')

    • According to the Law, Article 14 of the Personal Data Law cross border transmissions of personal data are prohibited in the following cases:

      • when creating a threat to the national security of the Republic of Azerbaijan;
      • if the legislation of the country where the personal data is transmitted does not provide legal protection of such data at the level established by the legislation of the Azerbaijan Republic;
      • in cases where the subject agrees to the cross-border transfer of personal data, as well as the transfer of personal data is necessary to protect the life and health of the subject, the cross-border transfer of personal data may be carried out regardless of their level of legal protection; and
      • in the case of cross-border transmission of personal data, the security of this data is ensured by the owner or operator. 
    • Not applicable. 

    • Not applicable. 

    • Not applicable. 

    • No Transfers Note currently available.

  • Bahrain
    • Law No. (30) of the Year 2018 Issuing a Law on the Protection of Personal Data (only available in Arabic here) ('the Act') 

    • Under Article 12 of the Act, data transfers outside Bahrain are prohibited, unless:

      1. the relevant country or territory provides adequate protection of personal data, based on the assessment of the competent authority; or
      2. the competent authority permits the transfer, having assessed the circumstances.
    • Under Article 13 of the Act, data transfers to a country or territory that does not provide adequate protection of personal data is permitted if:

      1. the individual gave their consent;
      2. the personal data originates from public registers; or
      3. the data transfer is necessary for the following purposes: fulfilment of a contract; protection of vital interests of the individual; implementation of a legal obligation; or legal claim purposes.
    • Central Bank Business Standards

      According to Central Bank of Bahrain ('CBB') Voume 1 Business Standards, OM 7.3.1 ('the Rule'), conventional bank licencees must maintain the following records in original form or in hard copy at their premises in Bahrain: 

      1. internal policies, procedures and operating manuals; 
      2. corporate records, including minutes of shareholders, directors and management meetings; 
      3. correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
      4. reports prepared by the conventional bank licensee's internal and external auditors; and 
      5. employee training manuals and records.
    • No further information.

    • No Transfers Note currently available.

  • Bolivia
    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • British Columbia
    • BC PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'showing, sending or giving some other organisation, government or individual the personal information in question.' An organisation may disclose personal information only: 

      1. for purposes that a reasonable person would consider are appropriate in the circumstances and that the data subject has been notified of in advance, as per Section 17 of BC PIPA; or
      2. with the consent of the individual, as per Section 6(1) of BC PIPA.
    • According to Section 18 of BC PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way; 
      2. the disclosure is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent; 
      3. it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure is reasonable for purposes related to an investigation or a proceeding;
      4. the information is collected from certain public events; the disclosure is necessary to determine a suitability  to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or to be selected for an athletic or artistic purpose;
      5. the disclosure is necessary in order to collect a debt owed to the organisation or for the organisation to repay an individual money owed to them by the organisation;
      6. the personal information is disclosed in accordance with a provision of a treaty that British Columbia or Canada is a party to and that authorises or requires its disclosure;
      7. the disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
      8. the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation, to determine whether the offence has taken place, or to prepare for the laying of a charge or the prosecution of the offence;
      9. there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates;
      10. the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
      11. the disclosure is to a lawyer who is representing the organisation; the disclosure is to an archival institution if the collection of the personal information is reasonable for research or archival purposes; or
      12. the disclosure is required or authorised by law.

      Additionally, under Section 19 of BC PIPA, an organisation may disclose employee personal information without the consent of the individual where the disclosure is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organisation and the individual, as long as it notifies the individual of the disclose, and the purposes for the dislcosure, beforehand.

      Moreover, according to Section 20 of BC PIPA, an organisation may disclose personal information about its employees, customers, directors, officers or shareholders without their consent, to a prospective party to a business transaction that involves substantial assets other than the data subjects' personal information. This applies if the personal information is necessary for the prospective party to determine whether to proceed with the business transaction, and the organisation and prospective party have entered into an agreement that requires the prospective party to use or disclose the personal information solely for purposes related to the prospective business transaction.

      According to Sections 21 and 22 of BC PIPA, an organisation may disclose information without consent, for research, statistical, archival or historial purposes, in certain circumstances.

    • Under Section 30 of the Freedom of Information and Protection of Privacy Act, RSBC 1996 c 165 a public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:

      1. if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
      2. if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
      3. if it was disclosed under Section 33.1 (1) (i.1).
    • Official Guidelines on the general application of BC PIPA issued by the Office of the Information and Privacy Commissioner in October 2015. 

  • California
    • Not applicable.

    • Not applicable.

    • Certain public procurement contracts might impose domestic data storage as a requirement. In addition, contractors working in certain industries may be subject to certain localisation or other restrictions. For example, the U.S. Department of Defense ('DOD') requires cloud computing service providers that provide services to the DoD to store data relating to the DoD within U.S. territory, unless otherwise authorised in writing by the DoD.

    • Not applicable.

  • COPPA
    • COPPA does not contain any explicit cross-border data transfer restrictions. 

      However, §312.4 requires a website operator to provide notice and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.

      Moreover, §312.8 requires an operator to take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.

    • § 312.5(c) provides verifiable parental consent is not required prior to the collection, use, or disclosure of personal information from a child: 

      1. where the sole purpose of collecting the name or online contact information of the parent or child is to provide notice and obtain parental consent; 
      2. where the purpose of collecting a parent's online contact information is to provide voluntary notice to, and subsequently update the parent about, the child's participation in a website or online service that does not otherwise collect, use, or disclose children's personal information. In such cases, the parent's online contact information may not be used or disclosed for any other purpose; 
      3. where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, and where such information is not used to re-contact the child or for any other purpose, is not disclosed, and is deleted by the operator from its records promptly after responding to the child's request; 
      4. where the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and where such information is not used for any other purpose, disclosed, or combined with any other information collected from the child. In such cases, the operator must make reasonable efforts to ensure that the parent receives notice. 
      5. where the purpose of collecting a child's and a parent's name and online contact information, is to protect the safety of a child, and where such information is not used or disclosed for any purpose unrelated to the child's safety;
      6. where the purpose of collecting a child's name and online contact information is to (i) protect the security or integrity of its website or online service; (ii) take precautions against liability; (iii) respond to judicial process; or (iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety; and where such information is not be used for any other purpose;
      7. where an operator collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the website or online service;
      8. where an operator collects a persistent identifier and no other personal information from a user who affirmatively interacts with the operator and whose previous registration with that operator indicates that such user is not a child. 

      According to § 312.6, disclosures made in good faith and following reasonable procedures in responding to a request for disclosure of personal information to the parent of a child are allowed.

    • No further information.

    • Complying with COPPA: Frequently Asked Questions issued by the Federal Trade Commission.

  • Iraq
    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Third Country Assessments

Schrems II - Third Country Assessment

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
    Applicable Law
  • Human rights law
  • Authority access law
  • Legal bases for access
  • Other limits on access
    Authority Functions
  • Authorities
  • Oversight mechanisms
  • Legal remedies data subjects
  • Legal remedies organisations
    title
  • Overseas subjects
  • International commitments
  • Further information
  • Albania
  • Argentina
  • Armenia
  • Australia
  • Azerbaijan
  • Bahrain
  • Bangladesh
  • Bosnia & Herzegovina
  • Brazil
  • California
  • Cameroon
  • Canada Federal
  • Cayman Islands
  • Colorado
  • Democratic Republic of Congo
  • Israel
  • Jamaica

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International Agreements

Data Transfer Agreements

This Comparison provides information regarding international data transfer agreements. Note that terminology varies across jurisdictions and certain agreements are non-binding.

Please see the Key for further information.

  • There are comprehensive provisions/agreements in place.
  • There are limited agreements/provisions in place.
  • There is no equivalent agreement or provision in place.

Primary Agreements:

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'): binding legal instrument requiring parties to take necessary steps to apply certain data protection principles within domestic legislation, including that a party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another party. (See Article 12 for further information).

Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows ('Treaty 181'): specifies that data may only be transferred if the recipient State or international organisation is able to afford an adequate level of protection.

Convention 108+: Convention for the Protection of Individuals with Regard to the Processing of Personal Data ('Convention 108+'): updated version of Convention 108, which amends certain principles on transborder flows, such as that a party shall not prohibit transborder flows of personal data to a subject of a jurisdiction of another party to the convention. (See Article 14 for further information).

Binding Corporate Rules ('BCRs'): data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must be legally binding and enforced by every member concerned of the group. Certain jurisdictions outside the EU also use the term BCRs to refer to binding intragroup agreements.

Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system ('APEC CBPRs'): voluntary certification system designed to facilitate cross-border data transfers between organisations based in participating jurisdictions. (See the APEC CBPR Comparison, located via the tab above, for further information).

Standard contractual clauses ('SCCs'): Model clauses for data transfer agreements, also referred to as 'model contracts' or 'model terms'. See column 7 below on Additional information.

Other Multi-Participant Agreements:

Comprehensive and Progressive Agreement for Trans-Pacific Partnership ('CPTPP'): Chapter 14 on Electronic Commerce provides that parties will establish a legal framework for the protection of personal information and allow cross-border transfers of personal information when this activity is for the conduct of a covered person.

Agreement between the United States of America, the United Mexican States, and Canada ('USMCA'): Chapter 19 on Digital Trade provides that participating Parties recognise principles of data protection, and should not restrict or prohibit cross-border data flows.

EU-Central America Association Agreement ('EU-Central America Agreement'): Article 198 provides that each party shall adopt or maintain adequate safeguards to the protection of privacy and fundamental rights, and freedom of individuals, in particular with regard to the transfer of personal data.

Deep and Comprehensive Free Trade Area ('DCFTA'): There are three DCFTAs agreed between the EU and Georgia, the EU and Moldova, and the EU and Ukraine. The DCFTAs are established as part of the Association Agreements between the EU and these jurisdictions. These agreements provide certain principles related to personal data protection, including that the parties will ensure that appropriate safeguards will be maintained regarding the transfer of personal data.

The OECD Privacy Framework ('OECD Privacy Framework'): provides non-binding guidance, including privacy principles and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

African Union Convention on Cyber Security and Personal Data Protection ('AU Convention'): provides that national data protection authorities should be responsible for authorising cross-border tansfers to third parties, and that transfers to non-Member States of the African Union should only be allowed where such states provide an adequate level of protection of privacy. (See Article 12 for further information).

The APEC Privacy Framework ('APEC Privacy Framework'): provides non-binding principles and suggestions for implementation in order to ease cross-border transfers of personal data and provide guidance to businesses on privacy issues. The APEC Framework is considered a precursor to the APEC Cross-Border Privacy Rules system, which follows the same principles (see column 3).

ASEAN Framework on Personal Data Protection ('ASEAN Framework'): non-binding agreement which notes that before transferring personal data to another country or territory, the organisation should either obtain the consent of the individual for the overseas transfer or take reasonable steps to ensure that the receiving organisation will protect the personal data consistently with the principles of the Framework.

ASEAN Framework on Digital Data Governance('ASEAN Digital Governance Framework'): sets out principles for cross-border data flows among ASEAN nations, including that a mechanism will be developed and that restrictions on cross-border flows will be minimised.

Standards for Personal Data Protection for Ibero-American States ('RIPD Standards'): provide non-binding guidance for regulatory initiatives, including rules for transferring personal data.

Digital Economy Partnership Agreement ('DEPA'): agreement between Chile, New Zealand, and Singapore, signed on 12 June 2020, which provides commitments related to data transfers. One such commitment is that each party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.

    title
  • EU/EEA, EU Adequacy
  • Convention 108
  • APEC CBPRs
  • BCRs/Intragroup Agreements
  • Whitelists/Requires Adequate Protection
  • Other Multi-Participant Agreements
  • Additional
  • Afghanistan
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Albania
    • Not applicable.

    • Convention 108 (reservations and declarations available here and here)

      Treaty 181

    • Not applicable.

    • No further information available.

    • The Information and Data Protection Commissioner ('IDP') has issued Decision No. 8 of 31 October 2016, on the Countries with Adequate Level of Protection for Personal Data (only available in Albanian here).

    • No further information available.

    • No further information available.

  • Algeria
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • Under Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) the national authority may authorise international data transfers where the receiving State is deemed to provide an adequate level of protection of life, privacy and fundamental rights and freedoms of individuals with regard to the processing to which the data is subject or can be the subject.

    • No further information available.

    • No further information available.

  • Andorra
    • Convention 108 (reservations and declarations available here and here)

      Treaty 181

      Signed Convention 108+ on 28 January 2019, but has yet to ratify.

    • Not applicable.

    • No further information available.

    • Article 35 of the Qualified Act 15/2003, of 18 December, of Personal Data Protection ('the Act') provides that no international data communication may be effected unless the current regulations in the country of destination establish a level of personal data protection at least equivalent to that established in the Act. Article 36 of the Act further provides that the following have a level of protection equivalent to the Act:

      a) Member countries of the European Union.

      b) Countries declared by the European Communities Commission as countries with protection equivalent.

      c) Countries declared as such by the Andorran Data Protection Agency.

    • RIPD Standards

    • No further information available.

  • Angola
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • According to Section 33 of the Law No. 22/11 on the Protection of Personal Data ('the Law') (only available in Portuguese here), data transfers are prohibited to countries that do not ensure an adequate level of protection. The adequacy must be assessed by the Agency for the Protection of Personal Data, which has not yet been created.

    • No further information available.

    • No further information available.

  • Anguilla
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Antigua and Barbuda
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Argentina
  • Armenia
    • Not applicable.

    • Convention 108 (declaration available here)

      Treaty 181

      Signed Convention 108+ on 2 October 2019, but has yet to ratify.

    • Not applicable.

    • No further information available.

    • A whitelist was released on 11 February 2020 (only available in Armenian here), which includes:

      • Albania
      • Andorra
      • Argentina
      • Austria
      • Belgium
      • Bosnia and Herzegovina
      • Bulgaria
      • Canada
      • Croatia
      • Cyprus
      • Czech Republic
      • Denmark
      • Estonia
      • Finland
      • France
      • Georgia
      • Germany
      • Greece
      • Hungary
      • Iceland
      • Republic of Ireland
      • Italy
      • Israel
      • Latvia
      • Liechtenstein
      • Lithuania
      • Luxembourg
      • Macedonia
      • Malta
      • Moldova
      • Monaco
      • Montenegro
      • Netherlands
      • New Zealand
      • Norway
      • Poland
      • Portugal
      • Romania
      • Russia
      • San Marino
      • Serbia
      • Slovakia
      • Slovenia
      • Spain
      • Sweden
      • Switzerland
      • UK & Northern Ireland
      • Ukraine
      • Uruguay and
      • USA

       

      Personal data may be transferred to another state without the permission of the authorised body where, the State ensures an adequate level of personal data protection. An adequate level of personal data protection will be considered to be ensured where personal data is transferred in compliance with international agreements or where personal data is transferred to a State that is included in the published whitelist.

    • No further information available.

    • For further information see: Armenia - Data Transfers

  • Australia
  • Azerbaijan
    • Not applicable.

    • Convention 108 (declaration avaliable here)

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • Bahrain
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • Under Article 12 of Law No. (30) of the Year 2018 Issuing a Law on the Protection of Personal Data (only available in Arabic here) ('the Law') data transfers outside Bahrain are prohibited, unless:

      the relevant country or territory provides adequate protection of personal data, based on the assessment of the competent authority; or

      the competent authority permits the transfer, having assessed the circumstances.

      The Data Protection Authority ('the Authority') shall issue a statement published in the Official Gazette containing a list of countries and territories to which data transfers is permissible. The Authority will issue such list after taking into consideration territories which have applicable data protection legislation and regulations that are deemed satisfactory to the extent which ensures to the Authority the adequacy of the protection provided by the laws and regulations of the said territories. Please note that the Law recently entered into force, therefore many procedural and regulatory issues which are to be decided by the Data Protection Authority ('the Authority')'s resolution(s) are yet to be issued.

    • No further information available.

    • No further information available.

  • Bolivia
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • California
    • Please note that, as a result of the Court of Justice of the European Union's decision on 16 July 2020, the EU-US Privacy Shield was declared invalid.

      The EU-US Privacy Shield Framework and Swiss-U.S. Privacy Shield frameworks were designed by the U.S. Department of Commerce, and the European Commission and the Swiss Administration respectively to transfer personal data between the EU and the United States, or between Switzerland and the United States, while complying with data protection requirements in the EU and Switzerland. 

    • Not applicable.

    • The APEC Cross-Border Privacy Rules system is used a valid mechanism to facilitate cross-border information transfers while protecting personal information and it implements the APEC Privacy Framework, a principles-based framework designed to encourage the development of privacy protections while ensuring the free flow of information in the Asia-Pacific region.

    • Not applicable.

    • Not applicable.

    • The United States has entered into various international agreements that prohibit discriminatory practices including data localization measures. For example, both the United States-Japan Digital Trade Agreement and the United States-Mexico-Canada Agreement specifically prohibit data localisation measures that restrict where data can be stored and processed as a condition for conducting business in that territory.

    • Not applicable.

  • Canada Federal
  • Iraq
    • Not applicable.

    • Not applicable.

    • Not applicable.

    • No further information available.

    • No further information available.

    • No further information available.

    • No further information available.

  • USA Federal
    • Please note that, as a result of the Court of Justice of the European Union's decision on 16 July 2020, the EU-US Privacy Shield was declared invalid.

      Swiss-US Privacy Shield, which is a self-certification system in which US organisations can commit to following to comply with the Swiss-US Privacy Shield's framework. Compliance with the requirements of the Swiss-US Privacy Shield becomes enforceable under US law after this commitment. For further information, please see: USA - Privacy Shield.

      The European Commission and United States announced, on 25 March 2022, that they had confirmed an agreement in principle for a new Transatlantic Data Privacy Framework to facilitate data transfers between the EU and US. In addition, both the European Commission published factsheets on the new framework, respectively here and here, which explain that the agreement in principle must now be translated into legal documents whereby the US commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the Commission to put in place the new framework. For further information, see Schrems II Portal.

    • Not applicable.

    • Participant in the APEC CBPR system and APEC PRP system, with two Accountability Agents. See: USA - APEC CBPR Overview

    • No further information available.

    • No further information available.

    • USMCA

      OECD Privacy Framework

      APEC Privacy Framework

      The Agreement Between the United States of America and Japan Concerning Digital Trade, which provides that neither Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means, if this activity is for the conduct of the business of a covered person (Article 11.1).

    • No further information available.

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Privacy Shield to EU-US DPF

The below document is a copy of the SCCs for the transfer of personal data to third countries adopted by the European Commission on 4 June 2021. The four modules as defined by the Commission are:

  • Module 1: Controller to controller
  • Module 2: Controller to processor
  • Module 3: Processor to processor
  • Module 4: Processor to controller

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.

(b)  The Parties:

(i)  the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter 'entity/ies') transferring the personal data, as listed in Annex I.A. (hereinafter each 'data exporter'), and

(ii)  the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”).

have agreed to these standard data protection clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18. (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:

(i) where it has obtained the data subject’s prior consent;

(ii) where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iii) where necessary in order to protect the vital interests of the data subject or of another natural person.

8.2 Transparency

(a) In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:

(i) of its identity and contact details;

(ii) of the categories of personal data processed;

(iii) of the right to obtain a copy of these Clauses;

(iv) where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.

(b) Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.

(c) On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

(d) Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.3 Accuracy and data minimisation

(a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.

(b) If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.

(c) The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.

8.4 Storage limitation

The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation2 of the data and all back-ups at the end of the retention period.

8.5 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(c) The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(d) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.

(e) In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.

(f) In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.

(g) The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

8.6 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter “sensitive data”), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

8.7 Onward transfers

The data importer shall not disclose the personal data to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:

(i) it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;

(iii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;

(iv) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;

(v) it is necessary in order to protect the vital interests of the data subject or of another natural person; or

(vi) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.8 Processing under the authority of the data importer

The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.

8.9 Documentation and compliance

(a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.

(b) The data importer shall make such documentation available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

Clause 10 

Data subject rights

(a) The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request.10 The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.

(b) In particular, upon request by the data subject the data importer shall, free of charge : (i) provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i); (ii) rectify inaccurate or incomplete data concerning the data subject; (iii) erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.

(c) Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.

(d) The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter “automated decision”), which would produce legal effects concerning the data subject or similarly significantly affect him / her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests.

In this case, the data importer shall, where necessary in cooperation with the data exporter:

(i) inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and

(ii) implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.

(e) Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.

(f) The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.

(g) If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. [For Module Three: The data exporter shall forward the notification to the controller.]

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; (ii) the data importer is in substantial or persistent breach of these Clauses; or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) [For Modules One, Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] [For Module Four: Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

[OPTION 2 (for Modules Two and Three): These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of _____ (specify Member State)

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.

(b)  The Parties:

(i)  the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter 'entity/ies') transferring the personal data, as listed in Annex I.A. (hereinafter each 'data exporter'), and

(ii)  the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”).

have agreed to these standard data protection clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18. (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.

(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.

(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) OPTION 1: SPECIFIC PRIOR AUTHORISATION The data importer shall not subcontract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the prior specific written authorisation of the controller. The data importer shall submit the request for specific authorisation at least [Specify time period] prior to the engagement of the subprocessor, together with the information necessary to enable the controller to decide on the authorisation. It shall inform the data exporter of such engagement. The list of sub-processors already authorised by the controller can be found in Annex III. The Parties shall keep Annex III up to date.

OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of subprocessors at least [Specify time period] in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the subprocessor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10 

Data subject rights

(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage. (g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. [For Module Three: The data exporter shall forward the notification to the controller.]

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; (ii) the data importer is in substantial or persistent breach of these Clauses; or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) [For Modules One, Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] [For Module Four: Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

[OPTION 2 (for Modules Two and Three): These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of _____ (specify Member State)

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.

(b)  The Parties:

(i)  the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter 'entity/ies') transferring the personal data, as listed in Annex I.A. (hereinafter each 'data exporter'), and

(ii)  the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”).

have agreed to these standard data protection clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18. (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data7 , the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

Clause 10 

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. [For Module Three: The data exporter shall forward the notification to the controller.]

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; (ii) the data importer is in substantial or persistent breach of these Clauses; or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) [For Modules One, Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] [For Module Four: Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify country).

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of _____ (specify country).

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of the data exporter’s data protection officer and/or representative in the European Union]

1. Name: ...

Address: ...

Contact person’s name, position and contact details: ... Activities relevant to the data transferred under the Clauses: ... Signature and date: ... Role (controller/processor):...

 

2. ...

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: ...

Address: ...

Contact person’s name, position and contact details: ... Activities relevant to the data transferred under the Clauses: ... Signature and date: ... Role (controller/processor):...

2. ...]

B. DESCRIPTION OF THE TRANSFER

Categories of data subjects whose personal data is transferred .............................

Categories of personal data transferred

.............................

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

.............................

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). …………………………

Nature of the processing  …………………………

Purpose(s) of the data transfer and further processing

.............................

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

..........................

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

C. COMPETENT SUPERVISORY AUTHORITY

For Modules 1, 2 and 3

Identify the competent supervisory authority/ies in accordance with Clause 13 ………………………….

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Modules 1, 2 and 3

EXPLANATORY NOTE: The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Examples of possible measures:

Measures of pseudonymisation and encryption of personal data

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Measures for user identification and authorisation

Measures for the protection of data during transmission

Measures for the protection of data during storage

Measures for ensuring physical security of locations at which personal data are processed

Measures for ensuring events logging

Measures for ensuring system configuration, including default configuration

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products

Measures for ensuring data minimisation

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

Measures for allowing data portability and ensuring erasure]

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

List of Sub-Processors

Modules 2 and 3

EXPLANATORY NOTE:

This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).

The controller has authorised the use of the following sub-processors:

1. Name: …

Address: …

Contact person’s name, position and contact details: …

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): …

Mechanisms for Data Transfers under the GDPR:

The European Commission describes adequacy decisions as follows:

'The European Commission has the power to determine, on the basis of Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves:

  • a proposal from the European Commission;
  • an opinion of the European Data Protection Board;
  • an approval from representatives of EU countries; and
  • the adoption of the decision by the European Commission.

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.'

The following jurisdictions have thus far been recognised as providing adequate protection for personal data (i.e. are party to an adequacy decision):

  • Andorra
  • Argentina
  • Canada (commercial organisations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan (private sector)
  • Jersey
  • New Zealand
  • Switzerland (under review)
  • Uruguay
  • UK

Adequacy talks with South Korea are also currently ongoing.

For further information see the EU Adequacy Tab in the Data Transfers Portal.

Appropriate safeguards include standard contractual clauses ('SCCs') adopted by the Commission and SCCs adopted by a supervisory authority and approved by the Commission (Article 46(2)(c) and (d) of the GDPR). These SCCs may be included in a contract with another party as a means of providing protection for personal data. While the CJEU Decision ruled that SCCs were valid, it also noted that they do not on their own necessarily provide an adequate level of protection. This means that an assessment of the transfer should be made and that supplementary measures may need to be utilised alongside standard SCCs in order to ensure there is adequate ongoing protection.

The assessment is the responsibility of the exporter and importer and should determine whether the third country provides adequate protection. Since the CJEU Decision emphasised surveillance laws and public authority access to personal data in the US, guidance on assessments has tended to similarly highlight public authority access to data. Supplementary measures may involve amendments to the standard SCCs, or technical/organisational security measures such as encryption, however further guidance on this matter is expected from the EDPB and supervisory authorities.

Prior to the CJEU Decision, the Commission issued the following decisions on EU controller to non-EU or EEA controller and EU controller to non-EU or EEA processor SCCs:

Finalised new SCCs

The Commission released, on 12 November 2020, revised SCCs for public consultation.

On 4 June 2021, the Commission announced that it had adopted two sets of new SCCs having taken into account the Schrems II judgment, the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, feedback from stakeholders during the public consultation and the opinion of Member States' representatives. The new SCCs consist of:

  1. SCCs between controllers and processors; and
  2. SCCs for the transfer of personal data to third countries.

For further information, see the Schrems II Portal.

Binding corporate rules ('BCRs') are considered an appropriate safeguard under Article 46 of the GDPR.

BCRs are approved by the competent supervisory authority in accordance with the consistency mechanism set out in Article 63 of the GDPR, provided that they (Article 47(1) of the GDPR):

  • are legally binding and apply to and are enforced by every member concerned in the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
  • expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
  • fulfil the requirements laid down in Article 47(2) of the GDPR.

Processes for approving BCRs can be time consuming, however they have proved to be a popular mechanism for large multinational organisations and are becoming more common around the world.

Article 47(2) of the GDPR establishes information a BCR must specify, see EU - GDPR - Data Transfers.

The CJEU Decision, however, impacts BCRs in a similar manner to SCCs. BCRs are required to meet the same threshold for the ongoing adequate protection of personal data as SCCs. Therefore, the EDPB has noted that jurisdiction assessments and supplementary measures may be required for BCRs in the same fashion as they are for SCCs.

For further general BCR information see the following procedural documents endorsed by the EDPB:

The Commission provides an overview list of certain companies for which the EU BCR cooperation procedures is closed, last updated on 25 May 2018, and the EDPB provides a register of selected BCRs since 2019.

Article 40 of the GDPR sets out provisions for codes of conduct. Codes of conduct are voluntary tools developed by associations or other representative bodies that cover certain data protection issues and tend to apply within sectors. International data transfers is one of the topics that a code of conduct as recognised under the GDPR can cover. Codes of conduct must be approved by a supervisory authority, and supervisory authorities are also tasked with generally encouraging the use of codes of conduct.

There are several requirements for the information contained in a code of conduct, including that a mechnism is established for monitoring compliance. Article 41 of the GDPR details how a body may be accredited by a supervisory authority to monitor compliance with a code conduct. Organisations do not need to be subject to the GDPR in order to be an adherent to a code of conduct.

A code of conduct for international data transfers will need to ensure that relevant provisions on cross-border transfers, such as ongoing adequate protection of personal data, are complied with. Similarly to BCRs, the CJEU Decision impacts codes of conduct used for cross-border transfers as it sets a new threshold for what should be considered in assessing adequate protection.

For further information on codes of conduct, see the General Data Protection Regulation Portal.

Article 42 of the GDPR establishes processes for certification. Certification functions in a similar manner to codes of conduct, in that it too is a voluntary system that is monitored or regulated through an accredited body and is used by organisations as a means of demonstrating compliance. Article 43 of the GDPR sets out provisions for accreditation of certification bodies. Certification must be renewed at least every 3 years, and all certification mechanisms and data protection seals and marks are collected in a register by the European Data Protection Board ('EDPB'). Supervisory authorities within Member States as well as the EDPB have been steadily issuing guidance, opionions, and decisions on certification (see here).

Similarly to BCRs and codes of conduct, the CJEU Decision impacts certification mechanisms by setting a new threshold for cross-border data transfers.

Further to the above, in October 2022, the EDPB adopted Opinion 28/2022 on the Europrivacy Criteria of Certification regarding their Approval by the Board as European Data Protection Seal pursuant to Article 42(5) of the GDPR, which marks the approval of the very first European Data Protection Seal by the EDPB. For further information on the Europrivacy seal, see also the European Parliament's statement here.

For further information on certification mechanisms see:

Article 49 of the GDPR establishes that in the absence of an adequacy decision, or of appropriate safeguards pursuant to Article 46, including BCRs, SCCs, codes of conduct or certification, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; 
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; 
  • the transfer is necessary for important reasons of public interest; 
  • the transfer is necessary for the establishment, exercise or defence of legal claims; 
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. 

The EDPB has noted that, 'derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and in accordance with the principles inherent in European law, the derogations must be interpreted restrictively so that the exception does not become the rule.'

The EDPB also stresses that the derogations under Article 49 are for specific situations and should be 'occasional' and 'not repetitive'. As such, Article 49 derogations should not be utilised as a mechanism for recurring international data transfers.

In regard to consent, the EDPB has further specified that consent must be:

In relation to other derogations, the EDPB emphasises the importance of a 'necessity test' and the complexities of assessing whether a transfer can be considered necessary. In general terms, the EDPB strongly encourages the use of other mechanisms than Article 49 derogations wherever possible.

Following the CJEU Decision, several EU Member State supervisory authorities noted that transfers to the US, or to other third countries deemed not to provide adequate protection, were still possible under Article 49 derogations, at least on a temporary basis. However, these authorities also tend to note that Article 49 should not be relied upon for repeating or regular transfers.

For further information on Article 49, see the EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.

The EDPB adopted two recommendations:

  1. Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data ('the Supplementary Measures Recommendations'), as finalised on 18 June 2021; and
  2. Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures ('the EEGs Recommendations').

A six-step roadmap

Whilst upholding the validity of the use of Standard Contractual Clauses ('SCCs'), the CJEU highlighted that controllers and processors are under an obligation to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'

In order to assist organisations with their assessments of third countries, as well as the types of measures that may be taken (technical, organisational, and contractual), the EDPB's Supplementary Measures Recommendations provides a roadmap of steps that businesses can follow:

  1. Know your transfers
  2. Identify the transfer tools you are relying on
  3. Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
  4. Adopt supplementary measures
  5. Procedural steps if you have identified effective supplementary measures
  6. Re-evaluate at appropriate intervals

Step one: Know your transfers

As a first step, the EDPB recommends that organisations undertake a data transfer mapping exercise, which can often be significantly complex, in order to understand exactly what data is being transferred, to which jurisdictions, and to which parties, including sub-processors and onward transfers.

The EDPB recalls that 'knowing your transfers is an essential first step to fulfil your obligations under the principle of accountability,' and that 'to gain full awareness of your transfers, you can build on the records of processing activities that you may be obliged to maintain as controller or processor under Article 30 of the GDPR.'

In addition, the EDPB also highlights the importance of the data minimisation principle, and ensuring that 'the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.'

Importantly, the EDPB also reminds organisations that remote access from third countries, as well as storage of data through cloud services outside the EEA offered by a service provider, are considered to be data transfers.

Furthermore, the EDPB highlights that if the data exporter uses international cloud infrastructure, it must assess if data will be transferred to third countries and where, unless the cloud provider clearly states in its contract that the data will not be processed at all in third countries. Notably, however, the wording of the final recommendations was updated to expressly state that such exception only applies 'if the cloud provider is established in the EEA'.

Step two: Identify the transfer tools you are relying on

The EDPB goes on to discuss the need to identify the most appropriate mechanism, as provided by the GDPR, for the relevant transfer. These mechanisms include:

Adequacy decisions

The European Commission has the power to determine, on the basis of Article 45 of the GDPR whether a country, sector, or region outside the EU offers an adequate level of data protection. The EDPB highlights that the effect of such a decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary.

The EDPB also notes, however, that organisations must monitor such decisions in case they are revoked, and that 'adequacy decisions do not prevent data subjects from filing a complaint. Nor do they prevent supervisory authorities from bringing a case before a national court if they have doubts about the validity of a decision, so that a national court can make a reference for a preliminary ruling to the CJEU for the purpose of examining that validity.'

The following jurisdictions have thus far been recognised as providing adequate protection for personal data (i.e. are party to an adequacy decision):

  • Andorra
  • Argentina
  • Canada (commercial organisations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan (private sector)
  • Jersey
  • New Zealand
  • Switzerland (under review)
  • Uruguay

The European Commission announced that it has begun the adequacy decision adoption process for South Korea and has published its Draft Decision on the adequate protection of personal data by the Republic of Korea. The draft decision now awaits the opinion of the EDPB and the approval of Member States.

In addition, the European Commission issued its draft adequacy decision on the adequate protection of personal data by the UK. The draft decision is currently being deliberated by the Member States' representatives.

The EDPB outlined that, in the absence of an adequacy decision, organisations will need to rely on one of the transfer tools listed under Articles 46 GDPR, or one of the derogations provided for in Article 49 of the GDPR.

Article 46 GDPR transfer tools

These include:

  • SCCs
  • Binding Corporate Rules ('BCRs');
  • codes of conduct;
  • certification mechanisms; and
  • ad hoc contractual clauses.

The EDPB highlights that, while the above transfer tools mainly contain appropriate safeguards of a contractual nature, the situation in the third country to which data is being transferred may still require organisations to supplement these transfer tools and the safeguards they contain with additional measures in order to ensure an essentially equivalent level of protection when utilising the transfer tools above (see step four below).

Derogations

In keeping with prior guidance issued on usage of the derogations provided for under Article 49 of the GDPR, the EDPB notes that derogations must be interpreted in a way that does not contradict the 'very nature of derogations as an exception to the rule that personal data may not be transferred to a third country unless it provides for an adequate level of data protection.' To this end, the EDPB notes that derogations cannot become 'the rule' in practice, but need to be 'restricted to specific situations.'

If transfers cannot be legally based on an adequacy decision, nor on an Article 49 derogation, organisations need to move to step three of the EDPB's roadmap.

Step three: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer

The EDPB emphasises that a transfer tool or mechanism under Article 46 of the GDPR must be effective in ensuring that the level of protection guaranteed by the GDPR, read in light of the Charter of Fundamental Rights of the EU, is not undermined by the law and/or practices of the third country. Therefore, an assessment must be conducted once an Article 46 tool has been selected in order to determine where and how such essentially equivalent protection can be guaranteed. The responsibility for this assessment largely resides with the data exporter.

The assessment should primarily focus on the laws, regulations, and practices of the recipient jurisdiction, and particularly whether there are any risks that may affect the safeguards of the Article 46 transfer tool, such as unrestricted access to personal data by public authorities. Where appropriate, the EDPB notes that this can be done in collaboration with the data importer.

Transfer factors

Several factors are expected to be taken into account when conducting an assessment, including the nature of the transfer itself. For example, the EDPB highlights that the following should be considered:

  • all actors, such as processors or sub-processors, involved in the transfer;
  • purposes for which the data are transferred;
  • types of entities involved in the processing (public/private, controller/processor);
  • sector in which the transfer occurs (adtech, telecommunications, financial, etc.);
  • the categories of personal data transferred;
  • whether the data will be stored in the third country or if there is only remote access;
  • format of the data to be transferred (pseudonymised, encrypted, etc.); and
  • the possibility of onward transfers.

In addition, the EDPB states that the assessment should contain elements concerning access to data by public authorities of the third country such as:

  • whether public authorities may seek to access data with or without the data importer's knowledge, in light of legislation, practice, and reported precedents; and
  • whether public authorities may be able to access data through the data importer or telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal as well as of reported precedents.

Assessing laws

The above transfer factors may have an impact on the legal context that will also need to be assessed. When analysing laws and regulations of a third country, the EDPB notes that consideration should be made as to whether:

  • commitments to data subject rights can continue to be effectively applied;
  • the safeguards of an Article 46 transfer tool can be effectively applied, including a right of redress for data subjects in case of access to their data by public authorities in the third country; and
  • there are effective limits on requirements to disclose or allow access to personal data by public authorities.

In addition, the EDPB notes that different aspects of the legal system of that third country should also be assessed including:

  • the rule of law situation in a third country as it may be relevant to assess the effectiveness of available mechanisms for individuals to obtain (judicial) redress against unlawful government access to personal data; and
  • the existence of a comprehensive data protection law or an independent data protection authority, as well as adherence to international instruments providing for data protection safeguards, as it may contribute to ensuring the proportionality of government interference.

Further to the above, the EDPB clarifies that the scope of the assessment should be limited to the legislation and practices relevant for the protection of the specific data that will be transferred, in contrast with the general and wide encompassing adequacy assessments the European Commission carries out in accordance with Article 45 GDPR.

The EDPB also stresses that EU standards such as Articles 47 and 52 of the EU Charter of Fundamental Rights, must be used as a reference when conducting an assessment, and that the European Essential Guarantees for surveillance measures 'provide clarification on the elements which have to be assessed to determine whether the legal framework governing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference. In particular, this should be carefully considered when the legislation governing the access to data by public authorities is ambiguous or not publicly available.'

Furthermore, the EDPB advises that the legal framework of the third country applicable to the transfer, sources, and information should be relevant, objective, reliable, verifiable, and publicly available or otherwise accessible to determine whether the Article 46 transfer tool can be effectively applied and the company will have to assess and document that they satisfy these requirements.

Assessment outcomes

The practices within a third country are particularly important to consider when conducting an assessment. The EDPB recommends the following practices be taken into consideration:

  • whether the relevant legislation may formally meet EU standards on fundamental rights and freedoms and the necessity and proportionality of restrictions thereto;
  • whether there is relevant legislation in the third country e.g. on access to personal data held by the private sector;
  • whether the assessment reveals the relevant legislation in the third country is problematic; and/or
  • whether the transferred data and/or the importer might fall within the scope of this problematic legislation.

After analysing laws and regulations of a third country, the EDPB notes that consideration should be made as to whether Article 46 GDPR transfer tools relied on:

  • effectively ensure that the transferred personal data is afforded a level of protection that is essentially equivalent to that guaranteed in the EEA. Where the assessments find that essentially equivalent protection is provided, re-evaluations and monitoring should continue to occur as described in step six; or
  • do not effectively ensure an essentially equivalent level of protection. Where the assessment finds that essentially equivalent protection may not be provided, it is the responsibility of the data exporter to utilise supplementary measures or to not transfer personal data.

In cases where a company decides to proceed with a transfer without implementing supplementary measures, for example where a company considers that it has no reason to believe that relevant and problematic legislation will be applied; the EDPB recommends companies demonstrate and document through their assessment that the law is not interpreted and/or applied in practice so as to cover the transferred data and importer. The documentation should also consider the experience of other actors operating within the same sector and/or related to similar transferred personal data and the additional sources of information.

More generally, the EDPB suggests that assessments should be conducted with due diligence and documented thoroughly as the competent supervisory and/or judicial authorities may request such documentation and hold companies accountable for any decision taken on that basis.

Additional resources

Beyond the resources that may be provided by a data importer to assist in assessments, the EDPB provides a non-exhaustive list of resources that consider, including:

  • case-law of the CJEU and of the European Court of Human Rights as referred to in the European Essential Guarantees recommendations;
  • adequacy decisions in the country of destination if the transfer relies on a different legal basis; and
  • national case-law or decisions taken by independent judicial or administrative authorities competent on data privacy and data protection of third countries.

Further to the above, you may find our Schrems II - Third Country Assessment Comparison, which provides a comprehensive overview of key jurisdictions in line with the criteria set out by the CJEU, useful when conducting assessments of third countries. 

Step four: Adopt supplementary measures

Where a step three assessment indicates that essentially equivalent protection may not be maintained through the Article 46 transfer tool, additional supplementary measures should be considered. Such measures will need to be agreed with the data importer and be sufficient to provide essentially equivalent protection.

Supplementary measures should be considered on a case-by-case basis, be checked against the findings from steps one to three, and may include a combination of technical, organisational, or contractual measures. The EDPB highlights that 'contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country based on problematic legislation and/or practices.' In such instances, the EDPB notes that technical measures may be of use to prevent access from public authorities, but may complement technical measures and strengthen the overall level of protection of data (e.g. by introducing checks and eliminating automatisms for attempts from public authorities to access data in a manner not compliant with EU standards).

Assessing supplementary measures

The EDPB notes that the following factors may be considered in collaboration with the data importer, where appropriate, in order to assess the most effective supplementary measures:

  • format of the data;
  • nature of the data;
  • length and complexity of data processing workflow (number of actors involved in the processing and their relationships);
  • technique or parameters of practical application of the third country law; and
  • possibility that the data may be subject to onward transfers, within the same third country or to other third countries.

Examples of supplementary measures

The EDPB provides a detailed consideration of potential supplementary measures as well as conditions for their effectiveness in Annex 2 of its Recommendations. In relation to technical measures, the EDPB considers several use cases where such measures may or may not be effective. Within these use cases, the EDPB discusses, among other things, state-of-the-art encryption, appropriate handling of cryptographic keys, pseudonymisation, separating information, and thorough preparation against cryptanalysis.

The EDPB also examines additional contractual and organisational measures, including:

  • contractual obligations for technical measures, transparency, specific actions, or data subject rights;
  • internal governance policies, especially within enterprise groups;
  • accountability measures, such as transparency reports;
  • data minimisation;
  • adoption of standards and best practices;
  • regular reviews; and
  • data importer commitments.

The effectiveness of all of the above supplementary measures will need to be demonstrable, and the EDPB sets out specific conditions for this effectiveness. Whether any of these measures, alone or in combination, may be considered effective in providing essentially equivalent protection will be dependent on the specific case.

Outcomes

Measures are effective

Where supplementary measures can ensure an essentially equivalent protection of personal data, the transfer should be viable. To this end, the EDPB outlines a number of scenarios in which effective measures would be identified, including:

  • the usage of encryption where a data exporter uses a hosting service provider in a third country to store personal data;
  • where a data exporter first pseudonymises data it holds, and then transfers it to a third country for analysis;
  • where data is encrypted to protect it from access by the public authorities of a third country when it transits between the exporter and its importer; and
  • the usage of transport encryption where a data exporter transfers personal data to a data importer in a third country specifically protected by that country's law, e.g., for the purpose of jointly provide medical treatment for a patient, or legal services to a client.

Please note that in some cases, in particular where there are modifications of SCCs, there may be further procedural requirements, as discussed in step five below.

Measures are not effective

Where supplementary measures are not able to ensure an essentially equivalent protection of personal data transfers should not start on the basis of the Article 46 transfer tool being relied upon. Where a transfer has already started, it must be suspended or ended. Furthermore, the EDPB notes that, 'Pursuant to the safeguards contained in the Article 46 GDPR transfer tool you are relying on, the data that you have already transferred to that third country and the copies thereof should be returned to you or destroyed in their entirety by the importer.'

The EDPB highlights that the competent supervisory authority may impose any other corrective measure (e.g. a fine) if, despite the fact that the organisation cannot demonstrate an essentially equivalent level of protection in the third country, it starts or continues the transfer.

In regard to non-effective measures, the EDPB outlines a number of scenarios in which effective measures have not been identified, for example, in relation to cloud service providers, where a data exporter has personal data processed according to its instructions in a third country, and this data is not - or cannot - be pseudonymised because the processing requires accessing data in the clear. The EDPB provides that where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys. Therefore, the EDPB stresses that based on the current state of the art, it is incapable of envisioning an effective technical measure to prevent that access from infringing on the data subject's fundamental rights.

Step five: Procedural steps if you have identified effective supplementary measures

Depending which Article 46 transfer tool is selected, further procedural steps may be required. These specifically apply if SCCs, BCRs, or other ad-hoc contractual clauses are used.

SCCs

Unmodified

The EDPB notes that there is no requirement to seek authorisation from a competent supervisory authority when supplementary clauses or safeguards are being added to SCCs so long as the measures 'do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined'.

However, the EDPB also emphasises that it is the responsibility of the data exporter and importer to ensure that additional clauses, 'cannot be construed in any way to restrict the rights and obligations in the SCCs or in any other way to lower the level of data protection'. Furthermore, organisations should be able to demonstrate that protections are sufficient, including that the unambiguity of all clauses, according to the accountability principle and the organisation's obligation to provide for a sufficient level of data protection.

In addition, the EDPB notes that competent supervisory authorities have the power to review these supplementary clauses.

Modified

Where the SCCs themselves are to be modified, or where supplementary measures directly or indirectly contradict the SCCs, authorisation must be sought from the competent supervisory authority.

BCRs

The EDPB highlights that the Schrems II judgment applies to other transfer tools under Article 46 of the GDPR as these are 'basically of contractual nature, so the guarantees foreseen and the commitments taken by the parties therein cannot bind third country public authorities.'

In relation to BCRs, the EDPB notes that, 'the Schrems II judgement is relevant for transfers of personal data on the basis of BCRs, since third countries laws may affect the protection provided by such instruments. To this end, the EDPB provides that all commitments that need to be included will be referred to in the updated WP256/257 referential to which all groups relying on BCRs as transfer tools will have to align their existing and future BCRs.

The EDPB also outlines that data exporters and importers will need to assess whether there is essentially equivalent protection provided to personal data in third countries when utilising BCRs, and employ any supplementary measures where applicable.

Ad hoc contractual clauses

The EPDB comments similarly on ad hoc clauses as it does on BCRs, noting that the Schrems II judgement has an impact and that essentially equivalent protection should be ensured.

Specifically, the EPDB states, the Schrems II judgment also applies to other transfer instruments pursuant to Article 46 (2) GDPR since all of these instruments are of a contractual nature, the guarantees foreseen and the commitments taken by the parties cannot bind third country public authorities, and therefore, are relevant to transfers of  personal data on the basis of ad hoc contractual clauses, since third countries laws may affect the protection provided by such instruments.

Step six: Re-evaluate at appropriate intervals

The EDPB highlights that monitoring should be conducted on an 'ongoing basis'. Such monitoring should address any relevant developments in the third country that could affect the initial assessment of the level of protection and the decisions that were taken, and, where appropriate, may include collaboration with data importers.

Furthermore, the EDPB outlines that mechanisms should be in place to promptly suspend or end transfers where:

  • the importer has breached, or is unable to fulfil the commitments it has taken in the Article 46 GDPR transfer tool; or
  • supplementary measures are no longer effective.

Role of European Essential Guarantees

The Schrems II judgement established a new threshold for data transfers to third countries from the EU. One of the key requirements involved in meeting this threshold is to ensure that a recipient third country provides an adequate, essentially equivalent, level of protection for personal data. In order to understand whether such protection can be maintained, data exporters, in collaboration with data importers where appropriate, are expected to conduct assessments of third countries' relevant legislation and practices.

The European Essential Guarantees ('EEGs') are referential standards identified after the Court of Justice of the European Union ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems 2016/4809P ('Schrems I') as a means to ensure that national surveillance measures would not inappropriately impede upon the rights to privacy and the protection of personal data of citizens during international data transfers. The EDPB notes in its EEGs Recommendations that the EEGs, 'provide elements to examine, whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.'

The EDPB stresses that although the EEGs may form part of the assessment of third country legislation for data transfers, they are not exclusive and do not constitute a complete list of what is necessary to demonstrate essentially equivalence in a jurisdiction. Furthermore, the EEGs overlap in their scope and should be assessed on an overall basis rather than separately.

The guarantees

The EDPB begins the EEGs Recommendations by considering relevant provisions of the Charter of Fundamental Rights of the EU ('the Charter'), and in particular that it cannot be justified for public authorities to further use personal data for surveillance measures beyond what is strictly necessary. Furthermore, the EPDB then goes on to analyse CJEU commentary on the Charter and the right to privacy. In so doing, the EDPB sets out the basis upon which the EEGs are established.

The EDPB specifies, 'Following the analysis of the jurisprudence, the EDPB considers that the applicable legal requirements to make the limitations to the data protection and privacy rights recognised by the Charter justifiable can be summarised in four European Essential Guarantees':

  • Guarantee A - Processing should be based on clear, precise and accessible rules
  • Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
  • Guarantee C - An independent oversight mechanism should exist
  • Guarantee D - Effective remedies need to be available to the individual

Guarantee A

Guarantee A indicates that the applicable domestic legislation should ensure that processing is based on clear, precise and accessible rules, including the following:

  • precise, clear, and accessible legal basis, which includes;
    • clear and precise rules on scope and minimum safeguards;
    • categories of individuals potentially subject to surveillance;
    • limits on duration of measure;
    • procedure for examining, using and storing collected data;
    • precautions for communicating data to third parties;
  • actionable data subject rights;
  • law must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted; and
  • There should be foreseeability for the individual to allow effective protection against arbitrary interference and abuse risks.

Guarantee B

Guarantee B states that necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated in the applicable legislation.

In relation to the principle of proportionality, the EDPB notes that the assessment of the proportionality of limitations to rights to privacy consists of:

  • measuring the severity of the interference; and
  • verifying the importance of the public interest objective.

Furthermore, the EDPB highlights, 'In Schrems II, the CJEU has stressed that legislation of a third country which does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter. Indeed, according to the case law, a legal basis which permits interference with fundamental rights must, in order to satisfy the requirements of the principle of proportionality, itself define the scope of the limitation on the exercise of the right concerned.'

The EDPB also addresses the principle of necessity and outlines that legislation should not authorise the retention of all personal data, or all electronic communications content, and as such should identify limits to the powers of public authorities to access and use such personal data. For example, the EDPB notes that, 'laws permitting public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life'.

Guarantee C

Guarantee C specifies that an effective, independent and impartial oversight system provided by a judge or another independent body, such as an administrative authority or a parliamentary body, should oversee any interference with the right to privacy.

The EDPB outlines some of the challenges of what constitutes independence. In addition, the EDPB highlights several factors that can be taken into considerations including, among other things:

  • measures for effective reviews;
  • openness to public scrutiny;
  • manner of appointment; and
  • legal status.

Guarantee D

Guarantee D refers to the availability of effective legal remedies for individuals to exercise their data subject rights, specifying that it should be necessary to notify individuals whose personal data has been collected or analysed, as far as the notification no longer poses a threat to the purposes of the interventions by the public authorities.

Regarding the effectiveness of a legal remedy, the EDPB outlines that such effectiveness is inextricably linked to the notification of a surveillance measure to the individual once surveillance has been completed. Nevertheless, where there is no notification, an effective remedy must still be provided.

The criteria for a court to be recognised as supplying sufficient redress possibilities includes if the court:

  • is an independent and impartial body;
  • has adopted rules of procedure;
  • includes members that hold or have held high judicial office or are experienced lawyers;
  • has no evidential burden to overcome in order to lodge an application with it;
  • has access to all relevant information during complaint examinations; and
  • has powers to remedy non-compliance.

However, an effective remedy might be provided by a court, tribunal, or non-judicial independent body which offers guarantees essentially equivalent to those required by Article 47 of the Charter.

Conclusion

The EDPB's EEGs Recommendations includes final remarks which highlight that the guarantees should be considered together, that they are subject to interpretation, and an assessment using the EEGs can only come to two conclusions: either the jurisdiction adheres to the EEGs, or it does not.

While the EEGs Recommendations are a referential standard, they include many key factors that are likely to suggest that transfers to a third country is of a high or lower risk. In particular, where an assessment suggests a third country does not meet the threshold of the EEGs, significant consideration will need to be made of the effectiveness of any supplementary measures.