Information security
Additional safeguards
In some cases, companies need to take additional safeguards for transfers of personal data to third countries. A third country is a country outside the EU/EEA area. The European Commission may decide that a third country ensures an adequate level of protection.
Additional safeguards for transfers of personal data to third countries
If a company wants to transfer personal data to a third country but the European Commission has not decided that the country has an adequate level of protection, or if the transfer meets the requirements for specific situations and occasional transfers, the company needs to take additional safeguards for transfers of personal data to third countries.
Countries outside the EU/EEA do not guarantee corresponding obligations and rights as GDPR does within the EU when companies process personal data. Therefore, the rules are stricter when transferring personal data from the EU to a third country.
Please note that there must be a possibility for data subjects to have the case reviewed by the courts.
Here you can read the recommendations of the European Data Protection Board (EDPB) on when additional safeguards for transfers of personal data to third countries may be needed. They also describe more about what such measures can be.
The Schrems II judgment and transfers of personal data to third countries
The Court of Justice of the European Union (CJEU) found in the Schrems II judgment that the privacy-shield agreement did not provide adequate protection for personal data when transferring personal data from EU to the US. The agreement was concluded between the EU and the U.S. and through the annulment by the CJEU, it was no longer possible to transfer personal data to the U.S. under the Privacy Shield. Subsequently, the EU and the US started by drawing up a new agreement in which they covered the shortcomings pointed out by the CJEU. In 2023, the European Commission took a new decision on transfers to the United States and established a new agreement, the EU-U.S. Data Privacy Framework (DPF). If the receiving party is a party to the new DPF regulations, transfers there are allowed without the company in the EU/EEA needing to take any additional safeguards.
Examples of additional safeguards for transfers of personal data to third countries
Below you can read some examples of additional safeguards for transfers of personal data to third countries that companies can take.
Binding Corporate Rules (BCR)
In order to use binding corporate rules for transfers of personal data to third countries, they must be approved. It is a data protection authority within the EU/EEA area that must approve the binding corporate rules.
For example, binding corporate rules may be useful if a multinational company transfers personal data to third countries within its own group of companies. A prerequisite for the BCRs is that the group of companies has an appropriate employee training programme that includes the BCRs.
Standard Contractual Clauses (SCCs)
Standard contractual clauses are an alternative to binding corporate rules, which companies can use as additional safeguards for transfers of personal data to third countries. It is the European Commission that decides on standard contractual clauses that companies can use.
Remember to use the right clauses when using the SCC, as it consists of four different modules with associated provisions. For example, there is a specific module applicable when the transferor of personal data is a controller within the EU and the recipient is a processor in a third country.
Code of Conduct
A company, regardless of whether it is a data controller or a data processor, can adhere to an approved code of conduct. This is an additional safeguard for transfers of personal data to third countries that industries themselves create. Often it is organisations that represent a specific industry that create these.
The European Data Protection Board (EDPB) has published guidelines on codes of conduct as a basis for transfers of personal data to third countries. They describe, among other things, what a code of conduct needs to achieve in order to be approved as an additional safeguard and how companies can apply for such approval.
XXX
XXX
XXX