Readers of our first post, GDPR update, in this series have already worked through Step 1: Transfer Mapping.  Part of that step was determining what countries you’re exporting data to.  Now, we move onto Step 2: Transfer Tools.  Truth be told, Step 2 is really two parts.  So, go grab your country list from your transfer mapping project and get ready to review! 

Step 2.a – Determining Whether the Countries You Export Data to Have Adequate Protections in Place 

The first part of Step 2 involves taking the country list from Step 1 and determining whether the European Commission has found the privacy protections of those countries adequate under GDPR.  Remember: this is for data exports outside of the European Economic Area (the EU plus Iceland, Liechtenstein, and Norway).  If all of the countries on your list are in the EEA, your work here is done.  (In other words, if you were compliant before the SCC changes, you’re still in the clear.) 

What if I transfer data to countries outside the EEA? 

If you transfer data outside the EEA, you’re in good standing if the European Commission has issued an adequacy decision in favor of that country.  Careful though, as sometimes the adequacy decisions pertain to only part of a country. 

The European Commission maintains its list of adequacy decisions here.  As of the writing of this post, the European Commission has stated the following countries have adequate protection: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. 

If you’ve reviewed your list and have found that all of your countries are either EEA countries or have adequacy decisions in their favor, you’re done!  But what about all the other countries?  Like (gulp) the US?  If you’ve got one or more of them on the list, keep reading. 

Step 2.b – Do Your Transfer Tools Provide Appropriate Safeguards? 

Let’s start by answering the obvious question: what is a transfer tool?  A transfer tool is a written safeguard (e.g. a contract) that governs how the data is moved from country to country. 

If you’re exporting data to a country that’s not in the EEA, or hasn’t received a positive adequacy decision, you’ll need to make sure you’ve got these safeguards in place.  Per Article 46 of the GDPR, these safeguards include: 

  • A legally binding and enforceable instrument between public authorities or bodies; 
  • Binding corporate rules; 
  • The standard data protection clauses; 
  • An approved code of conduct; or 
  • An approved certification mechanism. 

The idea is that these transfer tools will help level the data protection playing field.  That essentially, the data subjects will get the same protection outside the EEA as they will inside the EEA. 

Ready to find out if your transfer tools are adequate?  Check back in soon for our post on Step 3: Transfer Tool Assessment. 

Have questions? Please contact us at privacygroup@carneylaw.com for more assistance!

Disclaimer: this post is for informational/educational purposes only. It is not intended to provide any legal advice. 

Comments?