GDPR Information Series #6: Data Transfers

“Data Transfers” is the sixth and final in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the  icon which will highlight specific information regarding potential impact to First Advantage screening processes.

Under the GDPR, transferring data outside of the EU/EEA is generally not permitted unless the transferring organisation and the recipient organisation ensure that such transfer is adequately protected. Your organisation, as a Data Controller, and First Advantage as a Data Processor, may be required to take contractual and other steps to make sure that data transfers are properly addressed.

The GDPR covers data transfers in Articles 44-50, and generally sets forth four different ways to legitimise a data transfer, with a fifth category of derogations or exceptions to the four common transfer mechanisms:

  • Adequacy Decisions
  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Codes Of Conduct and Certification Mechanisms

These so-called data transfer mechanisms are not mutually exclusive. It is possible to have more than one mechanism in place for a single data transfer.

1. Adequacy Decisions

The European Commission is an EU institution responsible for proposing legislation, implementing decisions, uploading EU treaties and managing the EU’s day to day business. The European Commission has the power under Article 45 of the GDPR to determine whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or as a result of the international commitments it has entered into. The effect of such a decision is that EU personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

Which countries have been deemed adequate?

  • Andorra
  • Argentina
  • Canada (only commercial organisations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Republic of Korea
  • Switzerland
  • The United Kingdom under the GDPR and the LED
  • the United States (only commercial organisations participating in the EU-US Data Privacy Framework)

In the absence of an adequacy decision by the European Commission, Data Controllers and Data Processors must then turn to other transfer mechanism options, described below, to safeguard the data. The European Data Protection Board (EDPB – the organisation which has replaced the Article 29 Working Party) has recommended that the transferring organisation maps out the transfer accordingly and then verify the transfer mechanism that it seeks to rely on to facilitate the data transfer. What follows next is to assess the legal regime in the recipient organisation’s country. This is, in short, an exercise to determine whether that country’s laws offer essentially equivalent protections as the GDPR. If the outcome of the assessment is that the laws of the recipient organisation’s country “impinges” on the effectiveness of the intended transfer mechanism, the transferring organisation must identify and adopt supplemental protective measures so that the level of protection of the data transferred scales up to essentially the equivalent standard of the GDPR. These supplemental protective measures may be contractual, organisational or technical in nature.

 First Advantage stores non-U.S. data in its data centre located in Europe. The EU-US Data Privacy Framework (DPF) is a new self-certification scheme for US companies, replacing the EU-US Privacy Shield framework invalidated by the Court of Justice of the European Union (CJEU) in July 2020. The effect of this adequacy decision is that personal data can flow safely and freely from the European Economic Area (EEA) (the EU states plus Norway, Liechtenstein, and Iceland) to US companies that are part of the DPF.  Some of the US companies joined DPF, but the new adequacy decision is contested by some of the privacy practitioners, so its future is unknown. As a result, the transfer of data between U.S. and Switzerland and U.S. and EU is still quite often performed using the remaining safeguards (Standard Contractual Clauses, Corporate Binding Rules, etc., further described below). Hence, First Advantage is certified under the DPF, but relies on the Standard Contractual Clauses as well.

2. Standard Contractual Clauses

Standard Contractual Clauses (“SCCs”), also known as ‘Model Clauses,’ are contracts that offer additional adequate safeguards with respect to data protection that are needed in case of a transfer of personal data to any third country. SCCs are an instrument which may not be modified and must be signed as provided. However, they may be included as part of a broader agreement and other clauses may be added as long as they don’t contradict the SCCs. This is a “ready to use” instrument. Until June 4, 2021, there were three sets of approved SCCs. On June 4, 2021, the European Commission adopted two new sets of SCCs, one for use between Data Controllers and Data Processors (Article 28 of the GDPR) and one for the transfer of personal data to third countries (Article 46 of the GDPR). They reflect new requirements under the GDPR and take into account the Schrems II judgement of the European Court of Justice, ensuring a high level of data protection for citizens. Data Controllers and Data Processors using previous sets of SCCs were required to switch to the new SCCs by December 27,2022. The new  SCCs are available on the website of the European Commission here: SCCs between Data Controllers and Data Processors; SCCs for transfers of data to third countries. The new SCCs are more flexible for complex processing chains and exist through a “modular approach.” The SCCs come in four modules, addressing: Controller to controller (C2C), Controller to processor (C2P), Processor to processor (P2P), and Processor to controller (P2C).

The UK’s Information Commissioner’s Office (the UK ICO) has recently published its own mechanisms for cross border data transfers.  The first is the The International Data Transfer Agreement (or IDTA), which is a stand-alone alternative to the EU SCCs. The second is The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which amends the legal and jurisdictional details of the SCC from EU specifications to UK.   Both documents are considered to provide Appropriate Safeguards for Restricted Transfers when entered into as a legally binding contract, and either one may be used for this purpose.

 First Advantage relies on SCCs and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, with suppliers, affiliates and customers. The use of SCCs and their interplay with associated services or data protection agreements can be complex and fact specific. Always consult with your legal counsel when determining if SCCs are an appropriate way for cross-border data transfers.

3. Binding Corporate Rules

Referred to as “BCRs” and covered in Article 47 of the GDPR. BCRs are personal data protection policies which are followed by a group of companies (e.g. multinational corporate groups) in order to provide appropriate safeguards for transfers of personal data within the group, including outside the EEA. Generally, BCRs are implemented amongst Data Controllers/joint controllers within the same corporate group; processor organisations may also use BCRs amongst their group processor organisations. BCRs must be approved by the competent national supervisory authority, a process which can take months or even years.

4. Codes of Conduct or Certification Mechanisms

A Code of Conduct or a Certification Mechanism can offer appropriate safeguards for transfers of personal data where they include binding and enforceable commitments by the organisation in the third country for the benefit of the individuals. These are relatively new tools under the GDPR and the EDPB is working on guidance to further explain how to properly use these tools and when. These concepts are covered in detail in the GDPR under Articles 40, 42 and 46(2).

5. Derogations

It’s important to note that some less common derogations exist under Article 49 which can be viewed as exceptions to the rules identified in items 1-4. These derogations are interpreted very restrictively and only for occasional and non-repetitive processing activities. Examples of these derogations include: (a) situations in which the Data Subject has explicitly consented to the transfer after having been informed about the risks of transfer; and (b) if the data transfer is necessary for important reasons of public interest.