Cross-border data flows
Under the EU General Data Protection Regulation (GDPR), transfers of personal data are permitted to third countries or international organizations that ensure an adequate level of protection. In the absence of an adequate decision, we advice vendors on the proper mechanism for supply chain data transfers worldwide:
- Standard Data Protection Clauses adopted by the EC or by a supervisory authority or ad-hoc contractual clauses. We will file the tailored contractual clauses on your behalf, ensuring that they are consistent with the legal personal data protection principles and that are discussed with / communicated to the supervisory authority, so that relevant authorization is received before the transfer takes place. The set which corresponds to your need, depends on the specifics of the cross-border data flow that your organization wants to perform, to legal framework of the third country etc.
- If you are concerned with data flows within a large multinational company, you may have already in place Binding Corporate Rules (BCRs) or cooperate with data processors which make use of BCRs for Data Processors. These BCRs need however to be updated to be fully in line with GDPR provisions. If you do not have BCRs in place, we will file the appropriate documents on your behalf.
- If you transfer personal data to US and you have already self-certified to the US Privacy Shield Program, you will need to reconsider the transmission mechanism you have chosen following the recent Schrems II judgment of the Court of Justice of the European Union. We will advise you on alternative ways of transmitting either to the US or, if this is not considered safe under the current legal framework, to keep the data in the European Union, always taking into account current developments.