Schrems II agreement between the EU and the US
On July 10th, the European Commission decided that the so-called “EU-U.S. Data Protection Framework” ensures an adequate level of protection for the transfer of personal data from the EU to the United States.
The agreement means that organizations covered by the GDPR can transfer personal data to the US without having to provide a transfer basis in GDPR article 46. In practice, this means that organizations in the future do not need to enter into the EU Commission’s Standard Contractual Clauses or prepare Transfer Impact Assessments (TIA) as a condition for transferring personal data to processors, sub-processors or controllers in the US.
However, it is instead a condition for transferring personal data to the US that the recipient organization has certified itself under the Agreement via the US Department of Commerce. The list of certified organizations can be found here. You will therefore still need to prepare a TIA and a transfer basis if the recipient organization in the US has not been certified under the Agreement.
We have made some changes to Privacy to comply with the new agreement. This means that you can now select “EU-U.S. Data Protection Framework” in the “Transfer Basis” dropdown under “Sharing”. If this is selected, you do not need to prepare a TIA.
You should make one of the following choices in Privacy:
1) Update the protection level on companies
Review your list of companies and filter out the USA in the “Countries” filter, compare your list with the list of certified organisations. For the companies in the list, you can set the protection level to “EU-U.S. Data Protection Framework”.
Click “Edit company” and select “EU-U.S. Data Protection Framework” in the dropdown labeled “Level of protection”. Tick the box: “Transfer transfer basis”, which will update all current transfers for this company at once. Going forward, new transfers for this company will automatically have the transfer basis assigned.
Finish by pressing “Save” and then you can move on to the next company.
Update companies here (require Privacy access)
2) Update the transfer basis on all transfers
Go to your list of transfers. Select the list “1. Overview of transfers of personal data to countries outside the EU/EEA (third country transfers)”. Here you get an overview of all transfers to unsecure third countries across your processing activities. You need to consider all transfers where the recipient country is the USA, and then you need to find out whether the recipient organisation is on the list of certified organisations or not.
If the recipient organisation is on the list:
- Open the transfer (can be done manually or created via system)
- You can update the transfer basis to the new “EU-U.S. Data Protection Framework”
- Check if the recipient organisation’s sub-processors in the US are also on the list
- If they are, you can now change the transfer basis to the “EU-U.S. Data Protection Framework”
If the recipient organisation is not on the list:
- You still need to ensure that there is a valid transfer basis on the transfer to the organisation
- You still need to ensure that a TIA has been prepared on the recipient organisation
Update your transfers here (require Privacy access)
Read more about the news here.