Adequate data protection for data transfer to non-member countries.

 Data protection authorities are monitoring the implementation of the Schrems II judgment from the Court of Justice of the European Union.

Adequate data protection for data transfer to non-member countries

Protection of personal data when transferred to non-member states outside the EU requires greater attention. Currently, data protection authorities are checking whether companies are taking the necessary data protection measures.

The protection of personal data played a major role even before the introduction of the General Data Protection Regulation (GDPR). Given that similar levels of data protection are not guaranteed in every country, companies must pay particular care when transferring customer data and employee data to non-member countries outside the European Union or the European Economic Area.

The Court of Justice of the European Union defined the data protection requirements for data transfer to non-member countries in its Schrems II judgment dated 16 July 2020 (Ref.: C-311/18). The judgment declared the EU-US Privacy Shield invalid. Data transfer can still be based on the standard contractual clauses (SCC) of the EU commission. However, concluding the contract with these clauses alone is no longer adequate. If the data exporter intends to transfer personal data to a non-member country on the basis of the SCC – because reasonable alternatives are not available – they first have to assess whether an adequate level of data protection is guaranteed for the data specifically being transferred to the target country. If this is not the case, additional measures must be taken to guarantee an adequate level of data protection.

Data protection authorities send out questionnaires

The data protection authorities in a number of German states (Baden-WürttembergBavariaBerlinBrandenburgBremen, HamburgLower Saxony, Rhineland-PalatinateSaarland) are currently reviewing whether companies are taking suitable measures to implement the CJEU decision. Accordingly, the states are sending out questionnaires to selected companies. The surveys cover the following:

CJEU: non-member countries must guarantee an adequate level of protection

The background: In its Schrems II judgment, the CJEU clearly stated that personal data transferred to a non-member country on the basis of the standard protection clauses must have an adequate level of protection. This must be the equivalent of the level guaranteed by the GDPR in the EU. When evaluating the level of protection, the contractual regulations between the exporter located in the EU and the recipient in a non-member country must be considered. The ability of the authorities in the non-member country to access the data is also subject to protection.

If the data protection required under EU law cannot be complied with in the non-member country, the responsible authorities must seize or prohibit the data transfer to the non-member country. This was clearly stated by the CJEU. In this context, the court also declared the Privacy Shield data treaty with the USA to be invalid. 

Unintentional cross-border data traffic

The CJEU decision has far-reaching consequences for companies. The companies must ensure that an adequate level of data protection is guaranteed for data transfer to non-member countries. The data protection authorities are currently investigating whether companies have implemented the CJEU requirements. Cross-border data traffic often occurs unintentionally simply by using conventional service providers such as e-mail providers. This is precisely why such a large number of companies is affected.

Internal transfer of employee data

Data protection not only applies to handling sensitive customer data, but also applies to the transfer of employee data within the company. A corresponding level of protection must also be ensured in this case. Data transfer in the sense of the GDPR can be assumed if an employee can access the data remotely in the non-member country.

The data protection authorities have to investigate whether the data protection is guaranteed in accordance with the Schrems II ruling. Many companies will need to change long-standing business processes – including how they handle employee data internally.