What To Do Before The Declaration Of Invalidity Of The Privacy – Shield?
The European Court of Justice (ECJ) has recently stated in its judgment the invalidity of Decision 2016/1250 on the adequacy of the protection afforded by the Privacy Shield EU- EE. UU. Privacy- known as Shield.
On the other hand, the standard contractual clauses of Decision 2010/87, which regulates contracts for access to data on behalf of third parties, in which there is an international transfer of data, between those responsible and those in charge of the treatment, remain valid.
In its statement, the European Data Protection Committee (CEPD) states the importance of this decision taken by the CJEU, since they considered that this framework did not fully guarantee an adequate level of protection.
The CEPD is committed to providing the European Commission with assistance and guidance to build a new Framework that fully complies with EU data protection legislation.
What Will Happen From Now On?
The CEPD will evaluate the sentence in more detail and provide clarifications to interested parties and guidance on the use of instruments for the transfer of personal data to third countries.
Regarding the use of the standard Contractual Clauses of Decision 2010/87, the CEPD is studying the incorporation of additional measures to guarantee the adequate level of protection.
In addition, in this communication, it is indicated that before making the international transfer, there must be a prior evaluation, and it is the exporter (if necessary, with the assistance of the importer) who will take into account the content of the standard Contractual Clauses, the specific circumstances of the transfer, as well as the legal regime applicable in the country of the importer.
The latter will be examined in light of the non-exhaustive factors established in Art. 45 (2) of the RGPD. Therefore, it is leaving that prior assessment in the hands of the exporter. In the event that it considers that it had to incorporate additional measures, the CEPD is studying what those measures would consist of.
How To Legalize International Transfers?
International transfers to this third country, the USA, will have to be made on the basis of the standard contractual clauses of decision 2010/87.
We as responsible and exporters of the data, we have to assess the guarantees of art. 45.2 of the RGPD, among others, to evaluate the pertinent, sectoral and general legislation regarding data protection, the existence and effective functioning of one or more independent control authorities or subjection to an international organization.
If from the result of this evaluation it is considered that the country does not provide a sufficient level of protection, the person in charge may also add additional security measures to these Standard Clauses.
On the other hand, the CEPD, in its statement, urges the use of the exceptions contained in article 49 of the RGPD, following the guidelines published by it.