A data transfer impact assessment to review compliance with the criteria outlined in the Schrems II decision is a pillar of the GDPR accountability program of any business.
In this episode of the podcast “Laws of Disruptors”, Giulio Coraggio, partner at the law firm DLA Piper, outlines DLA Piper’s methodology and legal tech tool to perform the data transfer impact assessments in line with the principles of the Schrems II case.
You can listen to the podcast in this post and on 📲 Apple Podcast, 🎧 Spotify, and 🛒 Amazon Music. Besides, you can read on the same topic, “Do you have a data transfer impact assessment methodology based on the Schrems II decision?“.
Below is the transcript of the episode:
With the approval of the final version of the New Standard Contractual Clauses and the recommendations of the European Data Protection Board on data transfers any business is now convinced that a transfer impact assessment will be a step necessary for transfers data outside the European Economic Area and there will be no solution easy solution that might by-pass that step. Indeed article 14 or the new Standard Contractual Clauses expressly refers to the need to perform a transfer impact assessment and to document it, and the recommendations of the European Data Protection Board reiterate the need to perform such assessment, even though the new Standard Contractual Clauses are in place and even though the BCRs are in place.
The only exception applies is if the transfer is towards a country that offers an adequate level of protection in line with the EU standards. In order to support companies in running such exercise in the aftermath of the Schrems II case, we developed a methodology that is now supported by a legal tech tool named “Transfer” that automates the transfer assessment so the methodology and the legal tech tool are based on 4 pillars.
First of all, we need to nail down the elements of the transfer assessment that will be produced, we need to have a document that can be in the same file as the contract, regulating the transfer so we outline which are the parties, what are the data importing countries and what kind of data are transferred.
Then the second stage is when we need to assess the laws of the data importing countries. There might be more than one country involved and so we will have multiple assessments and in this task, a fantastic support is given by our colleagues of non-EEA countries with whom we can cover basically any country worldwide together with also our best friend law firms. So we produce for our clients a report covering the laws and the practices of the data importing country together with the scoring tool, identifying how wide is the divergence from the GDPR.
The third element is to assess what kind of supplementary measures have been adapted. They can be contractual, can be organizational, and can be technical. But also on this task, we support our clients because we provided them an Annex that outlines the additional contractual clauses that can be embedded into the contract and provide the support necessary to reinforce the data transfer to ensure the compliance of the data transfer with EU standards. The Annex can be adjusted to the peculiarity of the case to the level of risk so adapting it basically to the specific needs and also the weight of these additional clauses is then embedded into the legal tech tool with a specific scoring. The third element analyzes the peculiarities of the data transfer in line with what was outlined by the European Commission in the Standard Contractual Clauses. The specific characteristics of the data transfer need to be specifically tackled and they trigger an additional score.
The final result is a total score that is giving you a recommendation as to whether you can proceed with the data transfer. You can need to implement additional measures or the transfer cannot proceed all in the light of the accountability principle. The good element is that this methodology and legal tech tool has been shown to Data Protection Authorities of the main countries within the European Union that appraised our effort to automate and make easier this assessment and then we adjusted the assessment to the new Standard Contractual Clauses and the new recommendations of the European Data Protection Board in an assessment that in any case needs to be a risk assessment and so with our assessment, we believe that our clients are in a position to better defend their position towards authorities