Once upon a time data transfers…
March 16, 2021
The notion of “data transfer” is not defined in the General Data Protection Regulation (GDPR). Even though, from a Regulation perspective, a broad definition may result from the interpretations and clarifications of the authorities (European Data Protection Board “EDPB” and National Data Protection Authorities “DPA”).
MyData-TRUST took the time to deeply analysed the topic and summarised all the information you should know in this Article.
Data Transfer Rules
Since the subject of data transfers has become more complex this last years, it has become essential to use the correct transfer tools and to know how to apply it. Moreover, the recent Privacy Shield’s invalidation was a clear warning sent by the European Court of Justice to clarify data transfer rules.
Following the Schrems II ruling, the EDPB released Guidelines on additional measures that need to be put in place to secure a data flow: a mechanism of transfer such as a contract between two entities is not sufficient because it shall not bind Authorities. Supplementary measures of data protection are often essential, whether technical, organizational and contractual. In parallel, the EU Commission drafted a provisional version of new Standard Contractual Clauses (“SCCs”), one contractual method of transfer based on templates. Initially elaborated early 2000s (before the GDPR!), it was about time to adapt them to the realities of the world…
Are the new draft SCCs the remedy to address the challenges we are facing with?
The answer is not certain. If we take a closer look at the new versions of the EU Commission new version of SCCs, it is clear that there are challenges that need to be addressed. Two main conclusions can be drawn from this:
- lack of scenarios: four modules are now taken into consideration to cover more situations that in the current version. The idea is that the company will pick the module adapted to its situation at stake. Especially, the modular approach developed raises other questions in term of responsibilities for such processors, specifically to the exporters has the SCCs imposes strong obligations on them.
- lack of flexibility: it remains a concern. Although the appearance of the “docking clause” would allow any interested party to adhere to the content of one single set of SCCs by completing the annex, we wonder about it uses given the multiplicity of roles and data processing activities that may entail data flows.
Finally, this long-awaited revision of SCCs will not overcome all issues with data transfers in the clinical trial sector. We may have to learn living with them as we do not expect significant changes to the drafts published by the Commission.
Your DPO at MyData-Trust is available to support you with Data Transfers.
If you have any questions regarding the scope, the Data Protection Representative, the Competent Supervisory Authority or about Data Transfers, please contact us. MyData-Trust team will put all their efforts to support and sustain your activities involving personal data.