International data transfer

International corporations transfer a wide variety of personal data, e.g. applicant data from subsidiaries in Germany to the USA, from support center to support center (follow the sun) or to service providers based in third countries who process personal data on behalf. The use cases are diverse and the data transfer can also occur via a chain of subcontractors.

On June 4, 2021, the EU Commission published revised SDKs that are intended to be in line with the GDPR and the requirements formulated in the “Schrems II” decision. The revised EU standard data protection clauses are intended to better meet the requirements for transparency and accountability in particular.

However, when transferring personal data to third countries, it is the responsibility of the companies concerned to check whether the new modular standard data protection clauses meet the legal requirements for a transfer to a third country, or whether additional measures are required on the part of the companies to protect personal data from access by governments, cf. the US Administration’s Cloud Act. Adequate encryption of data or its anonymization are recognized as suitable measures.

The standard data protection clauses (SDK) now have a modular structure. This modular structure (modules 1 – 4) now takes into account the possible constellations between the actors in a third country transfer. 4 modules have been offered for use by the EU Commission. These are in detail:

  • Module 1: Transfer from controllers to controllers
  • Module 2: Transfer from controllers to processors
  • Module 3: Transfer from processors to processors
  • Module 4: Transmission from processors to controllers

Within these modules, it is necessary to check whether sub-options apply, as is the case, for example, in clause 9 (use of subcontractors) for module 2. Here, according to clause 9 lit. a of the SDK, the responsible party can decide for itself whether the processor must obtain prior authorization for the use of subcontractors (option 1) or not (option 2).

Companies are encouraged to analyze their data workflow of personal data in detail in order to select the right modules of the standard data protection clauses. Then, the modules corresponding to the data flow and their annexes must be filled in. In the annexes, the information about the data processing (Annex I) and if sub-processors are used, they must be indicated in the list of sub-processors (Annex III). Particularly important is the annex on the documentation of technical-organizational measures including the guarantee of data security (Annex II).

Note that for Modules 1 – 3, specific rather than general technical and organizational measures are specified for each data transfer/category of data transfers. In Annex II, information is also provided here as part of an example catalog. However, this sample catalog is not exhaustive and cannot be used as a to-do list. Therefore, the contracting parties must deal intensively with the data processing and define concrete protective measures related to the data processing to ensure an adequate level of data protection. The nature, scope, circumstances, purpose of the processing of the personal data and the risks to the rights and freedoms, of the data subjects affected by the data processing must be taken into account. In many cases, a data protection impact assessment must be carried out and documented for the data processing concerned.

We can offer you the following services in the field of international data transfer:

  • Support in recording the data flow within a parent company, its subsidiaries and at subcontractors (data workflow)
  • Support in recording the main IT processes affected by a data transfer to third countries (data mapping)
  • Depending on the data workflow, structuring of the required data protection contracts, in particular selection of the required modules of the standard data protection clauses (SDK)
  • Support in the preparation of the individual annexes, in particular information on data processing (Annex I), documentation of technical-organizational measures including data security (Annex II) and list of sub-processors (Annex III)
  • Assistance in recording and documenting the nature, scope, circumstances and purpose of the processing of the personal data
  • Conducting the required data protection impact assessment
  • Advising on the implementation of appropriate measures to prevent access to personal data by governments in third countries, e.g., by anonymizing or sufficiently encrypting the data
  • Legal advice on laws in third countries that legally allow their governments to access personal data, e.g., US-Cloud Act
  • Conducting reliability checks of external service providers, e.g., through a data protection audit
  • On-site visits, inspection of the IT and TC infrastructure to check the reliability of the external service provider under data protection law