Updated EDPB recommendations for third country transfers


On June 18th, 2021, after public consultation, the European Data Protection Board (EDPB) published its recommendations on supplementary safeguards for transfers of personal data to third countries outside the EU and the EEA. These recommendations revise the first version of the recommendations published in November 2020.

On July 16th, 2020, the CJEU ruled that the transfer of personal data on the basis of the EU-US Privacy Shield is not permissible and that users must carry out their own test on effectiveness when using EU standard contractual clauses.

In the updated version, the EDPB adheres to the six-step plan it developed and obliges the data exporter to conduct an individual risk analysis and documentation for each data transfer to a third country. According to recital 31 of the recommendations, the central element of this risk analysis is an examination of whether and to what extent there is a risk of official access to the data.

The mere possibility that a service provider can access data from a third country in the context of maintenance or support is considered by the EDPB to be sufficient for the assumption of a third country transfer. This applies not only to cloud providers, but also to many internationally active providers who offer support according to the follow-the-sun principle - meaning that they offer support around the clock and always provide support from the place where regular office hours are held. However, the EDPB confirms that if EU and EEA providers explicitly exclude data transfers to third countries by contract (recital 13), no third country transfer is assumed.

With regard to the possibility of invoking the derogations under Article 49 GDPR for data transfers, the EDPB emphasizes and reiterates its understanding that this must always be only the exception and never the rule. This general statement by the EDPB is questionable regarding the possible consent of data subjects. It is our understanding that the EDPB cannot restrict the free decision of people to consent to a third country transfer. Nevertheless, such consents must meet all requirements of the Articles 6, 7 and 49 GDPR.

The presentation of examples listed in Annex 2 have not changed significantly. The EDPB stands by its opinion that data processing in a third country is currently not possible if the recipient is able to read the data in plain text. However, this would also make data transfers within international groups of companies practically impossible (see F.A.Z. Einspruch of November 16th, 2020 and our #UpdateIT panel discussion on data processing within groups of companies). Nevertheless, the EDPB stands by its example, according to which effective pseudonymization can be an appropriate safeguard that enables a third-country transfer of data.

Practical tip:

The transfer of personal data to third countries and the use of international cloud providers remain difficult. From now on, the updated recommendations of the EDPB and the new EU standard contractual clauses must become the central component of every data transfer to a third country. Companies must document their risk analysis and are strongly advised to consider the EDPB recommendations when determining safeguards. Unfortunately, a simple one-fits-all solution still does not exist. However, the auditing activities of the authorities shows that it is essential for companies to prepare themselves.

The SKW Data Protection Taskforce will be happy to support you in conducting a detailed risk analysis regarding the third country (six-step plan) or in implementing the new standard contractual clauses. We have developed a tool for conducting the risk analysis and are happy to provide this to our clients.

Subject fields