SCHREMS II has been an impediment to global data flows

Abstract

There is a difference between making a decision on the adequacy of a country’s laws and assessing impediments in a country to enforcing contracts.  The European Commission is making a decision on whether the third country’s laws are essentially equivalent to the GDPR when making adequacy decisions under Article 45 of the General Data Protection Regulation (GDPR) of the European Union (EU).  Data exporters using Standard Contractual Clauses (SCCs) to transfer personal data to a third country are required by Article 46 of the GDPR to assess whether there are legal impediments where the data importer is located to that data importer fulfilling the requirements of the transfer contract, the SCCs (Article 46 Assessment),  Schrems II has led to confusion about the differences between these two assessments, and that confusion has impacted the free flow of personal from the European Economic Area (EEA).  Fieldfishers

When the European Court of Justice (ECJ) issued its opinion in Schrems II in July 2020, conventional wisdom was that it required the data exporter and its attorney to make an adequacy decision in order for a transfer to be made from the EEA to a third country when the appropriate safeguard was SCCs. Flor  This is an incorrect reading of Schrems II.  The Article 46 Assessment conducted by the data exporter (with the help of the data importer) is very different from the Article 45 Assessment conducted by the European Commission:

  • The Article 45 Assessment assesses whether a third country’s laws are essentially equivalent to those in the EU.  This assessment compares the laws in the third country to those in the EU to determine whether the third country in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.
  • The Article 46 Assessment assesses: (1) the provisions of the appropriate safeguards, the SCCs, and (2) the enforceability in the third country of the data subject rights set forth in the SCCs and the effectiveness in the third country of the legal remedies set forth in the SCCs.  When SCCs are the appropriate safeguard, effectiveness of legal remedies is assessed by looking at the relevant aspects of the legal system of the third country to determine whether public authorities of the third country can access the personal data transferred.  What comprises the relevant aspects of the third country’s legal system is set out in a non-exhaustive manner in Article 45(2) of the GDPR.  Finally, whether there is anything in the law or practices of the third country that may impinge on the effectiveness of the appropriate safeguard, the SCCs, is assessed.

The difference between the Article 46 and Article 45 Assessments is important for policymakers, regulators, and privacy professionals to understand.  The scope of the Article 45 Assessment (equivalency of third country law) and Article 46 Assessment (enforceability of contracts under third country law) is different.  If the distinction between these two assessments is not understood, then data exporters may think that they must do the more complex Article 45 Assessment which is more expensive and time consuming and which either may lead them not to transfer the data and or may lead them to transfer the data without doing the assessment. If the wrong assessment is conducted, unnecessary expense is incurred (especially by small and medium sized companies).  All this confusion adversely impacts global data flows. 

Introduction

When the European Court of Justice (ECJ) issued its opinion in Schrems II in July 2020, the reaction of many was that it required the exporter and its attorney to make an adequacy decision in order for a transfer to be made from the European Economic Area (EEA) to a third country when the appropriate safeguard was standard contractual clauses (SCCs).  This is an incorrect reading of Schrems II.  When making an adequacy decision under Article 45 of the General Data Protection Regulation (GDPR) of the European Union (EU), the European Commission is assessing whether the third country’s laws are essentially equivalent to those in the EU (Article 45 Assessment).  When determining whether data subject rights are enforceable in the third country and whether legal remedies for data subjects are effective in the third country in order to transfer personal data to the third country pursuant to SCCs under Article 46 of the GDPR, the data exporter is assessing whether there is anything in the law or practices of the third country that could impinge on the effectiveness of the appropriate safeguard, the SCCs (Article 46 Assessment). 

Schrems II

In Schrems II, the European Court of Justice (ECJ) was asked to specify which factors need to be taken into consideration for the purpose of determining whether the level of protection required by Articles 46(1) and 46(2)(c) of the GDPR of the EU is ensured in the context of transfer of personal data to a third country based on SCCs.  Before answering this question, the ECJ reviewed the applicable provisions of the GDPR:

  • In the absence of an adequacy decision under Article 45(3) of the GDPR, a controller or processor may transfer personal data to a third country only if: (i) the controller or processor has provided appropriate safeguards (e.g., SCCs), and (ii) enforceable data subject rights and effective legal remedies for data subjects are available.
  • Although Article 46 of the GDPR does not specify the nature of the requirements which flow from the reference to “appropriate safeguards,” “enforceable rights,” and “enforceable remedies,” because Article 46 appears in Chapter V of the GDPR, it must be read in light of Article 44 of the GDPR.   Article 44 is entitled “General principle for transfers” and provides that “all provisions [in that chapter] shall be applied in order to ensure that level of protection of natural persons guaranteed by [the GDPR] is not undermined.”
  • In the absence of an adequacy decision, the appropriate safeguards to be taken by the controller or processor in accordance with Article 46(1) of the GDPR must compensate for the lack of data protection in a third country in order to ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the EU.

After reiterating the question, what factors should be taken into consideration for the purposes of determining the adequacy of the level of protection where personal data is transferred to a third country pursuant to SCCs adopted under Article 46(2) of the GDPR, the ECJ answered as follows: 

  • Although Article 46(2) of the GDPR does not list the various factors which must be taken into consideration for the purposes of assessing the adequacy of the level of protection to be observed in such a transfer, Article 46(1) of the GDPR states that data subjects must be afforded appropriate safeguards, enforceable rights, and effective legal remedies.   
  • The assessment required for that purpose in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the EU and the recipient of the transfer established in the third country and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country.  As regards the latter latter [access by the third country’s public authorities to the personal data transferred], the factors to be taken into consideration in the context of Article 46 of the GDPR correspond to those set out, in a non-exhaustive manner, in Article 45(2) of the GDPR:
  • The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules, and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
    • The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
    • The international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relations to the protection of personal data.
  • Therefore, the assessment of the level of protection afforded in the context of a transfer of personal data to a third country pursuant to SCCs must take into consideration both the contractual clauses between the controller or processor established in the EU and the recipient of the transfer established in the third country to ascertain whether data subject rights are enforceable and legal remedies are effective and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of the GDPR.

In so holding, the ECJ also recognized, as it had in Schrems I, that a third country is not required to ensure a level of protection identical to that guaranteed in the EU legal order.  Rather, the ECJ explained that the term “adequate level of protection” must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.  This explanation may be why Schrems II has been interpreted as requiring an adequacy-type assessment for personal data transferred from the EEA to a third country pursuant to SCCs.  A review of the Article 29 Working Party’s Adequacy Referential (Referential) shows that this interpretation is incorrect.

The Referential

The Referential sets forth the core data protection principles that have to be present in a third country legal framework or an international organization in order to obtain an adequacy decision.  These principles are: (a) the basic content and procedural/enforcement data protection principles and mechanisms a third country’s system must contain, and (b) essential guarantees in third countries for law enforcement and national security access to limit interferences to fundamental rights.

The content principles are:

  • Basic data protection concepts and/or principles should exist.  They do not have to mirror the GDPR terminology but should reflect and be consistent with the concepts in European data protection law.
  • Lawful, fair, and legitimate principle. Data must be processed in a lawful, fair, and legitimate manner.  The European framework sets out several legitimate grounds under which personal data may be lawfully, fairly, and legitimately processed (e.g., consent of the data subject, performance of a contract or legitimate interest of the data controller or of a third party which does not override the interests of the individual). 
  • Purpose limitation principle.  Data should be processed for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the processing.
  • Data quality and proportionality principle.  The data should be adequate, relevant, and not excessive in relation to the purposes for which they are processed.
  • Data retention principle.  As a general rule, data should be kept for no longer than is necessary for the purposes for which the personal data is processed.
  • Security and confidentiality principle. Any entity processing personal data should ensure that data are processed in a manner that ensures security of the data using appropriate technical or organisational measures. 
  • Transparency principle.  Each individual should be informed of all the main elements of the processing of his/her personal data in a clear, easily accessible, concise, transparent and intelligible form.
  • Right of access, rectification, erasure, and objection.  The data subject should have the right to:
    • Obtain confirmation about whether or not data processing concerning him/her is taking place as well as access to his/her data
    • Obtain rectification of his/her data as appropriate for specified reasons and erasure of his/her personal data
    • Object on compelling legitimate grounds relating to his/her particular situation, at any time, to the processing of his/her data under specific conditions established in the third county legal framework
  • Restrictions on onward transfers.  Further transfers of personal data by the initial recipient of the original data transferred should be permitted only where the further recipient (i.e., the recipient of the onward transfer) also is subject to rules affording an adequate level of protection and following the relevant instructions when processing data on behalf of the data controller.

The procedural and enforcement mechanisms set forth the elements that must exist in order for a third country’s system to be consistent with that in the EU:

  • One or more competent independent supervisory authorities, tasked with monitoring, ensuring, and enforcing compliance with data protection and privacy provisions, should exist.
  • The data protection system must ensure a good level of compliance, i.e., it should ensure a high degree of accountability and of awareness among data controllers and those processing personal data on their behalf of their obligations, tasks, and responsibilities, and among data subjects of their rights and the means of exercising them.
  • The data protection framework must require accountability, i.e., it should oblige data controllers and/or those processing personal data on their behalf to comply with it and to demonstrate such compliance.
  • The data protection system must provide support and help to individual data subjects in the exercise of their rights and appropriate redress mechanisms.

The essential guarantees, which must be respected for access to data, whether for national security purposes or for law enforcement purposes, by all third countries in order to be considered adequate, are:

  • Processing should be based on clear, precise, and accessible rules (legal basis)
  • Necessity and proportionality with regards to legitimate objectives pursued need to be demonstrated
  • The processing has to be subject to independent oversight
  • Effective remedies need to be available to the individuals

The Referential requires an in-depth assessment of both the substantive and procedural law of the third country.  After the conduct of the Article 45 Assessment, the European Commission will be able to determine whether the third country in fact ensures, by reason of its domestic law or its international commitments, a level of protection that is essentially equivalent to that guaranteed within the EU.   The scope of the Article 45 Assessment is broader than the Article 46 Assessment called for by Schrems II – whether the data subject rights set forth in the SCCs are enforceable in the third country and whether the legal remedies set forth in the SCCs are effective in the third country.

Standard Contractual Clauses

The SCCs issued by the European Commission in June 2021 provide that they “set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of” the GDPR and, “with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of” the GDPR.  The organization of the SCCs support this effect of the SCCs.  The SCCs consist of four sections.  Section I is untitled but consists of introductory provisions (e.g., purpose and scope, interpretation, description of the transfer(s)).  Section IV consists of final provisions (e.g., governing law, choice of forum and jurisdiction).  Section II is Obligations of the Parties, and Section III is Local Laws and Obligations in Case of Access by Public Authorities.

Section II – Obligations of the Parties

Section I contains a Third-party Beneficiary Clause pursuant to which data subjects may invoke and enforce the SCCs, as third-party beneficiaries, against the data exporter and/or the data importer, and this third-party beneficiary right is without prejudice to the rights of data subjects under the GDPR.  Under Section II:

  • on request, the data exporter must make a copy of the SCCs, including the Appendix as completed by the data exporter and the data importer, available to the data subject free of charge
  • if the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it must inform the data exporter without undue delay
  • after the end of the provision of the processing services, the data importer must, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter or return to the data exporter all personal data processed on its behalf and delete existing copies
  • the data importer must promptly notify the data exporter of any request it has received from a data subject
  • the data importer must assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under the GDPR
  • the data importer must inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints.
  • In case of a dispute between a data subject and either the data importer or the data exporter regarding compliance with the SCCs, best efforts must be used to resolve the issue amicably in a timely fashion
  • Where the data subject invokes a third-party beneficiary right, the data importer must accept the decision of the data subject to lodge a complaint with the appropriate supervisory authority or refer the dispute to the competent courts
  • The data importer is liable to the data subject, and the data subject is entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under the SCCs
  • The data exporter is liable to the data subject, and the data subject is entitled to receive compensation for any material or non-material damages, the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under the SCCs
  • Where more than one party to the SCCs is responsible for any damage caused to the data subject as a result of a breach of the SCCs, all responsible parties are jointly and severally liable and the data subject is entitled to bring an action in court against any of these parties

Section III – Local Laws and Obligations in Case of Access by Public Authorities

With respect to local laws and practices affecting compliance with the SCCs:

  • The parties to the SCCs warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the SCCs
  • The data importer warrants that, in carrying out the assessment, it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with the SCCs
  • The data importer agrees to notify the data exporter if, after having agreed to the SCCs and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with its warranty; following such a notification or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under the SCCs, the data exporter must promptly identify appropriate measures to be adopted by the data exporter and/or data importer to address the situation

Obligations of the data importer in case of access by public authorities:

  • The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:
    • receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to the SCCs
    • becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs in accordance with the laws of the country of destination
  • If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible.
  • Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received

With respect to legality and data minimization,

  • The data importer agrees to review the legality of the request for disclosure and to challenge it, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law, and principles of international comity
  • The data importer must, under the same conditions, pursue possibilities of appeal, including seeking interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on the merits
  • The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based upon a reasonable interpretation of the request

The provisions of the SCCs support the conclusion that the scope of the Article 46 Assessment called for by Schrems II is the enforceability in the third country of the data subject rights set forth in the SCCs and the effectiveness in the third country of the legal remedies set forth in the SCCs.

The EDPB Final Recommendations

The Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB Final Recommendations) issued by the European Data Protection Board (EDPB) in June 2021 provide in Step Three that the data exporter in collaboration with the data importer should assess if there is anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the GDPR Article 46 transfer tool relied on in the context of the specific transfer. 

  • This assessment must be based on legislation publicly available and must address access to data by public authorities of the importer’s third country.  Examining the practices in force in the third country is especially important in the assessment of the following situations:
    • Practices of public authorities (e.g., accessing personal data held by the private sector or when enforcing -or not- legislation as supervisory or judicial bodies) may clearly indicate that they do not normally apply/comply with the legislation that governs, in principle, their activities.
    • Relevant legislation in the third country (e.g., on access to personal data held by the private sector) may be lacking.
    • Relevant legislation in the third country might be problematic and transferred data and/or the importer fall or might fall within the scope of the problematic legislation. 
  • The scope of the assessment is limited to the legislation and practices relevant to the protection of the specific data transfer, in contrast with the general and wide encompassing adequacy assessment the European Commission carries out in accordance with Article 45 of the GDPR.  Specific attention should be paid to relevant laws, in particular laws laying down requirements to disclose personal data to public authorities or granting to public authorities powers of access to personal data (e.g., criminal law enforcement, regulatory supervision, or national security purposes).   If these requirements or powers restrict the fundamental rights of data subjects while respecting their essence and being necessary and proportionate in a democratic society to safeguard important objectives as also recognized in EU or EU Member States’ law, they may not impinge on the commitments contained in the GDPR Article 46 transfer tool being relied on. 
  • Documented practical experience of the importer with relevant prior instances of requests for access received from public authorities in the third country may be taken into consideration.  The experience of the importer will be able to be used only if the legal framework of the third country does not prohibit the importer from providing information on requests for disclosure from public authorities or on the absence of such requests.  The absence of prior instances of requests received by the importer can never be considered, by itself, as a decisive factor on the effectiveness of the GDPR Article 45 transfer tool that allows the transfer to proceed without supplementary measures.  This information will be able to be considered, together with other types of information obtained from other sources, as part of the overall assessment of the laws and practices of the third country in relation to the transfer.    

Thus, according to the EDPB, a third question needs to be asked.  The questions that the Article 46 Assessment should ask are limited to: (1) whether data subject rights set forth in the SCCs are enforceable in the third country, (2) whether legal remedies set forth in the SCCs are effective in the third country if personal data of data subjects transferred to the third country are subject to access by public authorities in that third country, and (3) does anything in the law or practices of the third country impinge on the effectiveness of the appropriate safeguard, the SCCs?

Conclusion

The Article 46 Assessment called for by Schrems II, the EDPB Final Recommendations and the SCCs is not an adequacy assessment.  Rather, the Article 46 Assessment assesses: (1) the provisions of the appropriate safeguards, the SCCs, and (2) the enforceability in the third country of data subject rights set forth in the SCCs and the effectiveness in the third country of legal remedies set forth in the SCCs.  When SCCs are the appropriate safeguard, effectiveness of legal remedies is assessed by looking at the relevant aspects of the legal system of the third country to determine whether public authorities of the third country can access the personal data transferred.  What comprises the relevant aspects of the third country’s legal system is set out in a non-exhaustive manner in Article 45(2) of the GDPR.  Finally, whether there is anything in the law or practices of the third country that may impinge on the effectiveness of the appropriate safeguard, the SCCs, is assessed.

The Article 46 Assessment conducted by the data exporter (with the help of the data importer) is very different from the Article 45 Assessment conducted by the European Commission to determine whether a third country’s laws are essentially equivalent to those in the EU.  The Article 45 Assessment compares the laws in the third country to those in the EU to determine whether the third country in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.  The Article 46 Assessment assesses whether there is anything in the laws or practices of the third country which will interfere with the data subject rights set forth in the SCCs being enforced and with the legal remedies set forth in the SCCs being effective and which will impinge on the appropriateness of the SCCs. 

The difference between the Article 46 and Article 45 Assessments is important for policymakers, regulators, and privacy professionals to understand.  There is a difference between who conducts each assessment: the European Commission conducts the Article 45 Assessment, and the data exporter (with the help of the data importer) conducts the Article 46 Assessment.  As discussed above, the scope of the Article 45 Assessment (equivalency of third country law) and Article 46 Assessment (enforceability of contracts under third country law) is different. If the distinctions between these two assessments are not understood, then data exporters may think that they must do the more complex Article 45 Assessment which is more expensive and time consuming and which either may lead them not to transfer the data and or may lead them to transfer the data without doing the assessment.  Fieldfishers  If the wrong assessment is conducted, unnecessary expense is incurred (especially by small and medium sized companies), which ultimately leads to reduction in data flows.  ITIF  All this confusion adversely impacts global data flows.  ITIF 

Although this paper sets forth the factors that should be taken into consideration when conducting an Article 46 Assessment for the purposes of transferring personal data to a third country when SCCs are the appropriate safeguard, the same factors should apply to the other appropriate safeguards in Article 46 of the GDPR (legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard data protection clauses adopted by a supervisory authority and approved by the European Commission, approved code of conduct, and approved certification method).  All of the other appropriate safeguards in Article 46 are contractual in nature, and therefore, the same analysis should apply.

New Product Announcement

GDPRsimple is excited to announce that it has added to its document generators the new EU Standard Contractual Clauses (SCCs) and has revised its Transfer Impact Assessment to reflect the EDPB’s Final Supplemental Measures.  

  • The SCCs have logic built into them so all you do is answer 19 questions and the final version of the SCC you selected is generated.  There’s no need to separately produce a version of the module selected and then separately decide which options to choose and then produce another version of the module selected.  After answering 19 questions, GDPRsimple does all the work for you.    
  • The U.S. Transfer Impact Assessment has built into it the analysis contained in Schrems II and the EDPB’s Final Supplemental Measures.   The questions contained in the Six Steps of the Assessment help you identify the factors you need to consider to determine whether supplemental measures are necessary to transfer personal data from the EEA to the U.S.  

Figuring out how to assess the equivalency of U.S. law can be overwhelming and producing the different versions of the SCCs can be confusing and time-consuming.  GDPRsimple has eliminated the burden and confusion.  Go to www.keepgdprsimple.com to subscribe so you can make data transfers from the EEA to the U.S. easier.

Records of Processing Activities

Each controller and processor that employs 250 persons or more must maintain a written, including an electronic, record of processing activities (RoPA).  If the controller or processor employs fewer than 250 persons, it must maintain such a RoPA if the processing:

  • Carried out is likely to result in a risk to the rights and freedoms of individuals,
  • Is not occasional, or
  • Includes special categories of data or personal data relating to criminal convictions and offences.

The controller’s RoPA must contain all of the following information:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer (DPO);
  • The purposes of the processing;
  • A description of the categories of the individuals and of the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, where required in the case of transfers pursuant to a derogation, the documentation of suitable safeguards;
  • Where possible, the anticipated time limits for erasure of the different categories of data; and
  • Where possible, a general description of the technical and organizational security measures.

The processor’s RoPA carried out of behalf of a controller must contain all of the following information:

  • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting and, where applicable, of the controller’s or the processor’s representative and the DPO;
  • The categories of processing carried out on behalf of each controller;
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, where required in the case of transfers pursuant to a derogation, the documentation of suitable safeguards; and
  • Where possible, a general description of the technical and organizational security measures. 

Even if a RoPA isn’t required, it is a good idea to keep one; as the name describes, the RoPA helps both controllers and processors keep track of their processing activities.

This blog is the 33rd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  International Transfers

What consultations should occur prior to high-risk processing?

What consultations should occur prior to high-risk processing?

Different types of consultations must occur prior to high-risk processing:

  • Where appropriate, the views of individuals or their representatives on the intended processing must be sought as long as the commercial or public interests and the security of processing operations are protected. 
  • When carrying out a data protection impact assessment (DPIA), the advice of the data protection officer (DPO), if one has been designated, must be sought.
  • The supervisory authority must be consulted prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.  In such a consultation, the supervisory authority must be provided with:
    • Where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
    • The purposes and safeguards provided to protect the rights and freedoms of individuals;
    • Where applicable, the contact details of the DPO;
    • The DPIA; and
    • Any other information requested by the supervisory authority.

If the supervisory authority is of the opinion that the intended processing would infringe the GDPR, in particular where the risk has been insufficiently identified or mitigated, the supervisory authority, within eight weeks of receipt of the request for consultation (Time Period), must provide written advice.  Taking into account the complexity of the intended processing, the Time Period may be extended by six weeks (collectively Time Periods), and notification of any such extension and the reasons for the delay must be provided within one month of receipt of the request for consultation.  The Time Periods may be suspended until the supervisory authority has obtained the information it has requested for the purposes of the consultation.   

In addition, Member State law may require consultation, and prior authorization from, the supervisory authority in relation to processing for the performance of a task carried out in the public interest, including processing in relation to social protection and public health.

This blog is the 32nd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Records of Processing Activities

When is a data protection impact assessment required and how is it conducted?

When a type of processing is using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, under the GDPR, the controller, prior to the processing, is required to conduct an assessment of the impact of these processing operations on the protection of personal data.  A data protection impact assessment (DPIA), in particular, is required when the following types of processing are conducted:

  • A systematic and extensive evaluation of personal aspects relating to an individual which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual;
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or
  • A systematic monitoring of a publicly accessible area on a large scale.

In addition, each supervisory authority must publish a list of additional kinds of processing operations which require that a DPIA be conducted prior to their taking place. 

The DPIA must contain at least:

  • A systematic description of the anticipated processing operations and the purposes of the processing including, where applicable, the legitimate interest pursued by the controller.  In describing the processing, include:
    • The nature of the processing (e.g., what type of data would be processed? For how long?)
    • The scope of the processing (e.g., how many persons are involved)
    • The context of the processing (e.g., would the processing allow precise conclusions to be drawn about private lives of individuals?)
    • The lawful basis for the processing (e.g., legitimate interests)
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes
    • Necessity
      • Identify any fundamental rights and freedoms limited by the processing
      • Define the objectives of the processing
      • Chose the objective that is effective and least intrusive for the rights at stake
    • Proportionality
      • Assess the importance of the objective and whether the processing meets the objective
      • ‘Fair balance’ evaluation (i.e., compare the constraints and lack of constraints on privacy and data protection)
      • If the processing is not proportionate, identify safeguards (e.g., reduce the scope or the extent of the processing)    
  • An assessment of whether the type of processing is likely to result in a high risk to the rights and freedoms of individuals
  • Determine the Threat Likelihood (from the perspective of the individual) due to:
    • Illegitimate access to personal data
    • Undesired modification of personal data
    • Disappearance of personal data
  • Determine the impact of the threat based on the severity of the harm that each threat – in the context of the processing activity – could have on an individual
  • Determine the Inherent Risk Level: (impact level) x (threat likelihood level)
  • The measures anticipated to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of individuals and other persons concerned
    • If the Inherent Risk Level is Medium or High, then the effectiveness of organizational and technical security measures is assessed to determine Residual Risk.
    • Determine the Residual Risk Level: (inherent risk level) x (measures effectiveness)
    • If the Residual Risk Level is High, then the anticipated processing should not proceed without consulting the supervisory authority; if the Residual Risk Level is Low, then the anticipated processing can proceed.  If the Residual Risk Level is Medium, then a review of the effectiveness of individual measures should be reviewed to determine whether or not the anticipated processing should proceed and whether the supervisory authority need to be consulted.

This blog is the 31st in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What consultations should occur prior to high-risk processing?  

Why you should have a Data Protection Policy and a Data Retention and Erasure Policy and what should be in them?

As discussed in the previous blog on security assessments, the GDPR requires the controller and the processor to implement appropriate technical and organizational measures.  Examples of organizational measures are policies and procedures, and two of the recommended security policies are: (1) a Data Protection Policy, and (2) a Data Retention and Erasure Policy.

The Data Protection Policy sets forth the organization’s practices by which personal data should be protected and identifies the roles and responsibilities of the organization’s users of the personal data.  In order for the organization to protect and safeguard personal data, procedures should be in place to provide clear guidance regarding the security of personal data, to protect against personal data breaches, and to provide clear guidance regarding the proper disposition of personal data.  Common provisions in such a policy include:

  • Appropriate assessments should be conducted to identify reasonably foreseeable internal and external risks to the security of personal data that could result in a personal data breach, and the sufficiency of technical and organizational security measures in place to control these risks should be assessed.
  • Data users should have access only to specific personal data if access to that personal data is needed to fulfill their job responsibilities.
  • Before data users are allowed access to personal data, they should be trained in the use and attributes of the personal data applicable to their responsibilities and in the procedures applicable to their role and function.
  • Data users are responsible for keeping personal data accurate and up to date.
  • Personal data should be used only for the organization’s business purposes and should not be used for personal purposes.
  • A testing program that includes an assessment of the effectiveness of the procedures regarding the management of personal data should be conducted. 

The Data Retention and Erasure Policy sets forth the manner in which the organization retains its personal data in accordance with the requirements of all applicable laws and disposes of personal data when they are no longer needed.  Personal data retained for longer than is necessary, i.e., essential for the purpose pursued by the business, carries additional risk and cost.  Common provisions in such a policy include:

  • Personal data only should be retained for legitimate business uses and should not be retained for longer than is necessary for their lawful purpose. 
  • Where practicable, personal data generally should be organized and stored according to general categories in a manner that best facilitates the efficient administration of business operations. 
  • Confidential personal data should be labeled and/or stored in a manner to limit access to those organization employees or other individuals with authorization to view such personal data. 
  • A default standard retention period should be determined, but certain types of personal data (e.g., special categories of personal data) should be retained for shorter periods of time. 
  • A retention schedule should be established and maintained. 
  • If personal data are no longer required, they should be destroyed, erased or otherwise made unreadable prior to disposition. 
  • Any disposition of personal data must be suspended in the event of an audit, litigation, or investigation related to the personal data.

This blog is the 30th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  When is a data protection impact assessment required and how is it conducted?

How is security of processing assessed?

The GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.  In order to determine the “appropriate level of security,” an assessment must be done that takes into account:

  • The state of the art,
  • The costs of implementation, and
  • The nature, scope, context and purposes of processing

as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.  Account also must be taken in particular of the risks that are presented by processing, “in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

 “Personal data breach” is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”  Thus, in assessing the appropriate level of security, account must be taken in particular of the risks that are presented by a personal data breach. 

After assessing the nature, scope, context and purposes of the processing, the security assessment should assess the risks to the fundamental rights and freedoms of individuals by assessing the threat likelihood – remote, possible or probable – from the perspective of the individual – of three threats types – illegitimate access to personal data, undesired modification of personal data and disappearance of personal data.  Then, for each threat type, the impact in the context of the processing activity should be calculated – what is the severity of the harm that each threat in the context of the processing activity could have on an individual – minimal, significant, severe.    This calculation is: (impact level) x (threat likelihood level) = inherent risk level.  The inherent risk level could be either high, medium or low, and if it is either medium or high, then measures to reduce inherent risk need to be considered.

Inherent risk is when technical and organizational security measures are assessed.  These measures are evaluated as highly effective, somewhat effective and less effective.  The scores from all the categories of security measures are totaled, and the effectiveness of the security measures is calculated as low, medium and high.  This calculation is: (inherent risk level) x (measures effectiveness) = residual risk level.  According to the GDPR, some of the appropriate technical and organizational measures to be evaluated are:

  • The pseudonymization and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

A controller’s or processor’s ability to adequately assess security risks is necessary in order for them to be able to conduct data protection impact assessments (DPIA) which are required when processing in particular is using new technologies.  DPIA’s will be discussed in a later blog.

This blog is the 29th is a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SME’s implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Why you should have a Data Protection Policy and a Data Retention and Erasure Policy and what should be in them?

Why you should have a Personal Data Breach Policy and what should be in it?

You should have a Personal Data Breach Policy that sets forth a plan on how to respond to a Personal Data Breach.  Having and implementing such a plan helps protect an organization from a Personal Data Breach and enable the timely response if a Personal Data Breach is suspected or occurs.

Given these reasons for having a Personal Data Breach Policy, an organization should consider having a Personal Data Breach Policy that discusses:

  • How to determine whether a Personal Data Breach has occurred
  • How to preliminarily address the incident
  • How to investigate the incident
  • How to document the incident and what information to include in the documentation for both
    • Internal documentation (e.g. recordkeeping)
    • External documentation (e.g. notifying regulators and/or individuals)
  • The roles of the personnel who should be on the Incident Response Team
    • Internal personnel (e.g. Chief Security Officer)
    • External personnel (e.g. outside counsel)
  • The need to determine any remediation strategy
  • Examples of potential remediation strategies
  • The need to include in third-party contracts the responsibilities of processors in the event of a suspected or identified Personal Data Breach

These topics are examples of subjects that you should consider including in a Personal Data Breach Policy.  There may be additional subjects that it may be appropriate for you to include in such a Policy, and it may, under some circumstances, be appropriate for you to not include some of the above listed topics in your Personal Data Breach Policy.

This blog is the 28th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  How is security of processing assessed?

What needs to be in a GDPR personal data breach notification?

If a personal data breach communication must be provided to an individual, it must describe in clear and plain language the nature of the personal data breach.   If a notification to a supervisory authority of a personal data breach must be given, the description of the nature of the personal data breach should include if possible:

  • The categories and approximate number of individuals concerned, and
  • The categories and approximate number of personal data records concerned.

The communication to the individuals and the notification to the supervisory authority also should contain:

  • The name and contact details of your data protection officer or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, if appropriate, measures to mitigate its possible adverse effects.

If all this information cannot be provided to the supervisory authority at once, it may be provided as soon as it becomes available.

If the controller does not provide a personal data breach communication to individuals, the supervisory authority, if it decides none of the conditions excusing the providing of a communication have been met, may require the controller to provide a communication, after having considered the likelihood of the personal data breach resulting in a high risk to the rights and freedoms of individuals.

This blog is the 27th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Why you should have a Personal Data Breach Policy and what should be in it?

What is a data breach under the GDPR and what do you do when one happens?

Under the GDPR, the term “personal data breach” means a breach of security that leads to the:

  • Accidental or unlawful destruction or loss of,
  • Accidental or unlawful alteration of, or
  • Unauthorized disclosure of, or access to,

personal data that have been transmitted, stored or processed in some other way. 

After becoming aware of a personal data breach, you without undue delay must notify:

  • The supervisory authority, if you are the controller, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals
    • The notification must be given if feasible within 72 hours after you became aware of the personal data breach
    • Where notification is not made within 72 hours, the notification must set forth the reasons for the delay

This notification is unnecessary if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

  • The controller, if you are the processor, without undue delay.

When the personal data breach is likely to result is a high risk to the rights and freedoms of individuals, the controller must communicate with the individual without undue delay.  This communication is unnecessary if any of the following conditions are met:

  • Appropriate technical and organization protection measures have been implemented by the controller, and those measures were applied to the personal data affected by the personal data breach (e.g. encryption)
  • Subsequent measures have been taken by the controller that make high risks to the rights and freedoms of individuals no longer likely to materialize
  • Disproportionate effort is involved.  In this case, a public, or similar equally effective, communication should be given to individuals

The controller must keep a record of any personal data breaches.  This record should contain:

  • The facts relating to the personal data breach,
  • Its effects, and t
  • The remedial action taken.

This blog is the 25th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What needs to be in a personal data breach notification?