International corporations transfer a wide variety of personal data, e.g. applicant data from subsidiaries in Germany to the USA, from support center to support center (follow the sun) or to service providers based in third countries who process personal data on behalf. The use cases are diverse and the data transfer can also occur via a chain of subcontractors.
On June 4, 2021, the EU Commission published revised SDKs that are intended to be in line with the GDPR and the requirements formulated in the “Schrems II” decision. The revised EU standard data protection clauses are intended to better meet the requirements for transparency and accountability in particular.
However, when transferring personal data to third countries, it is the responsibility of the companies concerned to check whether the new modular standard data protection clauses meet the legal requirements for a transfer to a third country, or whether additional measures are required on the part of the companies to protect personal data from access by governments, cf. the US Administration’s Cloud Act. Adequate encryption of data or its anonymization are recognized as suitable measures.
The standard data protection clauses (SDK) now have a modular structure. This modular structure (modules 1 – 4) now takes into account the possible constellations between the actors in a third country transfer. 4 modules have been offered for use by the EU Commission. These are in detail:
Within these modules, it is necessary to check whether sub-options apply, as is the case, for example, in clause 9 (use of subcontractors) for module 2. Here, according to clause 9 lit. a of the SDK, the responsible party can decide for itself whether the processor must obtain prior authorization for the use of subcontractors (option 1) or not (option 2).
Companies are encouraged to analyze their data workflow of personal data in detail in order to select the right modules of the standard data protection clauses. Then, the modules corresponding to the data flow and their annexes must be filled in. In the annexes, the information about the data processing (Annex I) and if sub-processors are used, they must be indicated in the list of sub-processors (Annex III). Particularly important is the annex on the documentation of technical-organizational measures including the guarantee of data security (Annex II).
Note that for Modules 1 – 3, specific rather than general technical and organizational measures are specified for each data transfer/category of data transfers. In Annex II, information is also provided here as part of an example catalog. However, this sample catalog is not exhaustive and cannot be used as a to-do list. Therefore, the contracting parties must deal intensively with the data processing and define concrete protective measures related to the data processing to ensure an adequate level of data protection. The nature, scope, circumstances, purpose of the processing of the personal data and the risks to the rights and freedoms, of the data subjects affected by the data processing must be taken into account. In many cases, a data protection impact assessment must be carried out and documented for the data processing concerned.
We can offer you the following services in the field of international data transfer: