EU Data Privacy Transfer Mechanism for Third Countries
Greetings and best wishes for a secure, privacy, and compliant new year for you, your loved ones, and your business!
The European Union and the United States entered into the EU-US Privacy Shield Framework, which enables US businesses to obtain personal data from the EU in accordance with EU data protection rules. However, Schrems II, which the EU Court of Justice rejected in July 2020, is no longer in use. This makes it impossible for companies to use it to move personal data from the EU to the US.
Privacy Shield
The Privacy Shield was rejected by the CJEU for a variety of reasons. The fact that the US government's surveillance programs might have enabled the widespread surveillance of EU individuals was one of the primary factors in the CJEU's decision. The court was particularly concerned about the US government's monitoring programs, which it believed might be used to mass-surveil EU nationals. The absence of rights and remedies for those whose data was transferred to the US under the Privacy Shield disturbed the court as well.
Businesses that had previously used the Privacy Shield to transmit data from the EU to the US were compelled to find alternative ways to comply with EU data protection rules as a result of the decision. This has had a substantial impact on globally operating firms, as have Standard Contractual Clauses (SCC) and other data transmission techniques.
Standard Contractual Clauses (SCC)
SCCs are a collection of standard clauses that businesses can apply to guarantee that personal data transferred outside the EU is protected to the same level as it would be inside the EU. These clauses offer a legally binding framework for the protection of personal data and are intended to be integrated into contracts between businesses.
The level of data protection provided by the GDPR in the EEA must be equivalent in the third countries for the new SCCs to be valid. Therefore, carrying out a Transfer Impact Assessment (TIA) is the key step in assessing the potential risk involved in transferring personal data from one nation to another. When a company is considering a third-country transfer of personal data from the EU, TIAs are frequently conducted out since such transfers are subject to SCC under EU data protection legislation.
With Unicis, you can manage tasks for security, privacy, and compliance team in one place.
Collaborate accross multiple teams about gap analysis, register of procedures and transfer impact assessment.
Transfer Impact Assessment (TIA)
The aim of a TIA is to ensure the security of personal data transmitted to a third country by EU citizens. This is especially crucial if the third country's level of data protection is lower than that of the EU. A TIA entails assessing the transfer's risks, including the possibility of illegal access to the data or the risk of data usage for unauthorized purposes. There are often numerous steps in the TIA process, including:
- Establishing the reason for the data transfer and the categories of personal data that will be transferred
- Evaluating the third country's degree of data protection
- Analyzing the transfer's risks, including any possible effects on the rights of the people whose data is being transferred.
- Putting procedures in place to lessen any dangers that have been identified, like utilizing proper protections or getting the person's permission before the transfer.
- Documenting the TIA process and outcomes.
A TIA is a crucial step in ensuring that a business complies with EU data protection rules and that your customers' personal information is sufficiently protected when it is transferred to a third country. In recent years with increasing globalization of data flows, EU Commission has constantly updating its policies to ensure continuous adequacy of level of protection of data transfer mechanism, which is why its important to be updated with these developments.
Unicis Transfer Impact Assessment (TIA) app for Jira
Due to this, Unicis created the Atlassian Jira plugin app Unicis.TIA to assist legal, privacy, and compliance team in five simple steps in order to meet the requirements:
- Describe the intended transfer scenario
- Determine the scenarios of problematic lawful access that are relevant
- Determine factors that indicate a risk of problematic lawful access
- Determine probability of a problematic lawful access
- Conclusion/Results
Documentation
Check out our documentation, and feel free to use it without charge for up to a maximum of 10 people, with a low tier pricing schema for additional users from Atlassian Marketplace.
Demo
For more info please see the demo video (1:44 minute long):