Data Transfer to unsafe Third Countries

Of the relevance and potential of the risk-based approach in Transfer Impact Assessment (TIA) under the EU Commission's new Standard Contractual Clauses (SCC), in particular for applicant management software and intra-group data transfers

The consequences associated with the Schrems II decision with regard to third-country transfers pose major challenges for companies and especially HR departments with their often numerous international data transfers. Although the EU Commission has adopted new standard contractual clauses and set the framework for the assessment and implementation of third-country transfers with the "Transfer Impact Assessment" prescribed in Clause 14, the scope of this framework remains unclear: While the SCC follow a risk-oriented interpretation of Art. 46 (2) c) GDPR by the European Commission, the data protection supervisory authorities position themselves with their recommendations and statements contrary to this with a "0-tolerance" interpretation, which does not want to let any risk considerations take effect.

I. Introduction

The legally compliant handling of the transfer of personal data to so-called unsafe third countries¹, especially the USA, is a compliance issue with enormous importance for the "data hub" HR. HR departments transfer extensive amounts of data, some of it highly sensitive, to third countries. For example, when using applicant management systems as Software-as-a-Service (SaaS) or when transferring data within the group, especially when group subsidiaries or parent companies based in insecure third countries act as so-called Shared Service Centres Personnel.² In such cases, those responsible for HR processes must necessarily deal with this issue, because German data protection supervisory authorities have announced a "coordinated audit of international data transfers",³ which also focuses on these two scenarios by means of special questionnaires.⁴

Since the Schrems II ruling,⁵ there has been great uncertainty with regard to data transfers to third countries, especially the USA. With this ruling, the ECJ declared the "Privacy Shield" adequacy decision of the EU Commission (EUCOM) invalid in the sense of Article 45 of the GDPR. More than 4,000 well-known companies had submitted to this self-certification procedure, including numerous service providers whose software and cloud solutions are regularly used by HR departments, such as Adobe Inc, WorkDay Inc or Microsoft Corp.

At the same time, the ECJ also ruled on the usability of standard contractual clauses (SCC) according to Art. 46 (2) c) GDPR. SCCs are often used by companies to secure their transfers to third countries⁶ and are supposed to allow the transfer as an "appropriate safeguard". In principle, but especially with regard to transfers to the USA, the SCCs should no longer be able to constitute such a "safeguard" per se. Rather, the responsible data exporter would have to examine in each individual case whether the law of the third country in accordance with Eurpoean Law ensures adequate protection of the personal data transferred on the basis of SCCs and whether the importer in the third country provides more safeguard than those offered by these clauses, if necessary.⁷

In the context of this paper, we will explore the question whether in the "case-by-case”- test required by the ECJ⁸ or the guarantee of the protection of data “by other means"⁹ in the context of Art. 46(2)c) GDPR is amenable to a balancing in the sense of the principle of the risk-based approach of the GDPR. For this purpose, we will analyse Schrems II, the provisions of the GDPR, the new SCC of the EU Commission¹⁰ and the current recommendations of the European Data Protection Board (EDPB) ¹¹. In parallel, we will provide initial advice on the practical implementation of the new audit obligation.

II. Principle of the risk-based approach in the context of third-country transfers

The principle of the "risk-based approach" is a regulatory concept with which data protection obligations are adapted to the concrete risk situation for the rights and freedoms of the data subject.¹² In this context, "risk" means "a scenario with an event and its consequences that is assessed in terms of its severity and its probability of occurrence".¹³ This approach does not aim to "leverage" data protection obligations - rather, it aims to scale or calibrate the necessary technical and organisational measures according to the actual (expected) risk of the processing.¹⁴ The approach takes into account the fact that while no processing is risk-free, not every risk leads to an unjustifiable violation of the rights of the data subjects.

The risk-based approach permeates the GDPR.¹⁵ It has been enshrined in Article 24 (1) of the GDPR as a core element of the concept of accountability within the meaning of Article 5 (2) of the GDPR.¹⁶ Article 24 (1), first sentence of the GDPR requires the controller to identify the risks to the rights and freedoms of natural persons and to take into account the likelihood and severity of those risks, in relation to the nature, scope, circumstances and purposes of the processing, for each data processing operation. This shall be done on the basis of an objective assessment of the specific data processing in terms of whether that data processing presents a risk or a high risk.¹⁷ Article 32 (1) of the GDPR again specifically requires this assessment with regard to the security of the processing: "Taking into account the state of technology, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk".

If, with regard to third country transfers - as required by the ECJ - an assesment of the specific case is to be carried out and it is to be determined whether it is only (sufficiently) possible to guarantee the protection of the data through additional measures, other elements with significance for the individual case would also have to taken into account in this "determination" in addition to the legislation of the third country. These include, among others, the probability of occurrence of the risk of data access by a third party, the type of data processed and its purposes for determining the severity of the possible occurrence of the risk, as well as for determining the type of additional measures to be taken, if any.

Such a transfer-specific and risk-oriented assessment is also required by the new SCC of EUCOM published in June.¹⁸ Clauses 14 a), b) require the parties to carry out a comprehensive Transfer Impact Assessment (TIA), which consistently takes into account the above considerations. Legally, the TIA is not a completely new entity, but basically a proportionality assessment.¹⁹

In contrast, the European Data Protection Committee (EDPB) has²⁰ so far negated the fact the "risk-based approach" of the GDPR must also be taken into account in the context of third country transfers pursuant to Art. 46 (2) c) GDPR.²¹ Accordingly, completely independent of the type of data transferred - whether purely statistical tracking of a SaaS interface or sensitive health data from a work reintegration management (WRM) - or the probability of occurrence, the only decisive factor would be whether the legal situation of the recipient country had an adequate level of protection and/or whether the data processing could be otherwise protected by additional measures. ²²

1. The risk assessment in clause 14 of the SCC: the Transfer Impact Assessment (TIA)

According to clause 14 a) SCC the parties have to assure that they have no reason to believe that legal provisions (legal situation, i.e. legislation) and practices (legal practice, i.e. application by authorities, courts) in the country of the data importer prevent the data importer from fulfilling its obligations under the contract in order to ensure the necessary level of protection for the transferred data. Clause 14 b) does list various aspects in three groups of cases, which are not exhaustive that are to be taken into account in the context of the assurance:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, intended onward transfers, the type of recipient, the purpose of the processing, the categories and format of the transferred personal data, the industry sector in which the transfer occurs, the storage of the data transferred,

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards,

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.²³

The wording of clause 14 b) clearly shows that the legislation (ii) only plays a role, but not "the" role for the TIA. In addition, the application of the law (ii), the contractual, technical and organisational safeguards (iii) and also the categories of data, purposes of the processing and recipients of the data (i) must be taken into account for the specific case.

2. Negation of the principle of the risk-based approach within the framework of Art. 46 (2) c) by the EDPB

Already in the aftermath of Schrems II, the EDPB²⁴ prepared a draft recommendation on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data²⁵ in November 2020 and submitted this to public consultation. On 18.06.2021 - after the public consultation and the publication of the SCC - the second version has been published. ²⁶ In addition, a joint EDPB/EDPS Opinion 2/2021 on the EUCOM Implementing Decision on standard contractual clauses was published in May 2021.²⁷

According to these documents, for a lawful transfer of data to an insecure third country, it is (almost) exclusively relevant that this third country has an adequate level of protection with regard to the legislation.²⁸ It is literally stated there: "Your assessment should be focused first and foremost on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer
tool you are relying on.“

The EDPB imposes verification obligations on the responsible data exporter regarding transfers to third countries with regard to the legislation and legal practice of the third countries. These verification obligations go beyond the requirements of the GDPR and ignore the risk-based approach of the GDPR, which is also inherent in Art. 46 (2) c) GDPR²⁹ and in particular paragraph 14 of the new SCC.

a. Assessment of the adequate level of protection according to EDPB

For the assessment of the adequate level of protection, the EDPB first refers to its Recommendation 2/2020 on fundamental surveillance measures.³⁰ As a result, the EDPB requires the data exporter to check whether and which legal remedies exist against official prosecution and rights of access and whether these comply with Art. 47, 52 of the EU Charter of Fundamental Rights (CFR)³¹ (proportionality, guarantee of legal recourse). ³²

In Recommendations 1/2020 Version 2.0 from June 2021, these verification obligations are expanded and concretised once again: On the one hand, the responsible data exporter should assess the legal situation of the country to which he wants to transfer data.³³ On the other hand, the data exporter should also assess the legal practice in that country.³⁴ A transfer is not considered permissible if the legal situation does not respect the core of the fundamental rights and freedoms of the CFR.³⁵ With regard to the scope of the assessment, the EDPB provides contradictory indications. On the one hand, the controller is supposed to include the elements that are examined by the EUCOM (sic!) within the framework of Art. 45(2) GDPR in its examination.³⁶ On the other hand, the scope of the assessment is supposed to be limited to the legislation and practices relevant to the protection of the specific data being transferred, in contrast to the general and wide-ranging adequacy assessments carried out by the European Commission under Art. 45 GDPR.³⁷

However, if not only the legislation, but also the current legal practice is to be examined by the controller, the controller is forced into the situation of having to comprehensively assess a foreign legal situation, including case law, with regard to the data transfers it intends to carry out. This means that the contractual assurance by means of the standard contractual clauses within the meaning of Article 46 (2) c) of the GDPR would in fact have no value, as the controller is nevertheless required to carry out a full comprehensive assessment - such as cannot be carried out at all by SMEs and only at considerable expense by large corporations.

This requirement is highly surprising for two reasons. Firstly, the controller should be able to rely on the importer and the information, documents and sources provided by him as well as his experience with the local authorities as a source of information.³⁸ This means that the controller should be able to fall back on the expertise of the person who has a high economic self-interest in the best presentation of the situation. This means that this assesment requirement - at least in the required depth - ad absurdum to a certain extent.

Secondly, the data protection authorities themselves admit that they cannot carry out such assessments of foreign legislatures.³⁹ This is understandable, as such assesments are extraordinarily complex and can only be carried out in the required depth by lawyers with good knowledge of both European and third-country jurisdictions. It is therefore not surprising that the Berlin Supervisory Authority has requested an external expert opinion on the legal situation in the USA.⁴⁰ However, the EDPB imposes exactly this obligation on every company, regardless of the type of data transferred and/or its purpose.

The EDPB imposes on the controller, within the framework of Art. 46 (2) c) GDPR, an examination of the legal situation of the state to which data are to be transferred, which they themselves cannot carry out and which is not envisaged by Art. 46 (2) c) GDPR, but is reserved in this depth to the EUCOM by Art. 45 GDPR for good reasons.⁴¹

Incidentally, it is completely irrelevant whether an equally high level of protection exists in the jurisdiction of the data exporter. Finally, it is completely ignored - both in the ECJ ruling and in the subsequent discussion - that many European countries themselves do not have the level of protection required in the ECJ ruling, for example with regard to the obligation to inform the persons concerned or the reservation of the right to a judge, and that the ECtHR has also ruled that certain intelligence measures can be carried out in such frameworks.⁴²

According to the EDPB, the examination of the legal situation and practice can therefore only lead to two results:

i. either an adequate level of protection exists and data transfer is possible

ii. or there is no adequate level of protection.

In the latter case, the data transfer must either be stopped or effective additional measures must be taken.⁴³

b. Negation of the principle of the risk-based approach by EDPB

Thus, there is no room for the EDPB to take a risk-based approach to assessing the admissibility of third country transfers through the TIA under clause 14 of the SCC.

While the EDPB also states that "objective factors" may be taken into account under the TIA, namely:

i) the purposes for which the data are transferred and processed (e.g. marketing, human resources, storage, IT support, clinical trials),

ii) the type of entities involved in the processing (public/private, controller/processor),

iii) the sector in which the transmission takes place (AdTech, telecommunications, financial sector, etc.),

iv) the categories of personal data transferred (for example, personal data concerning children may be subject to specific legislation in the third country),

v) possible storage of data in a third country or mere remote access to data stored in the EU or EEA, the format of the data to be transmitted (e.g. plain text, pseudonymised or encrypted),

vi) the possible onward transfer of data from the first third country to another third country. ⁴⁴

Therefore, the concrete circumstances of a data transfer, referred to by the EDPB as "objective factors", seem amenable to a classic proportionality test under the risk-based approach. However, according to the EDPB, these "objective factors" are to be used exclusively in assessing "whether there is anything in the law or practice of the third country of destination, which prevents the data importr from fulfilling its obligations under the Draft SCCs in the context of the specific transfer, should be based on objective factors,
regardless of the likelihood of access to the personal data." ⁴⁵. Thus, according to the EDPB, the specific circumstances of the third party transfer may only be used to determine whether the legal situation in the third country provides an adequate level of protection for these data. But not in order to assess the probability of occurrence of a risk, the severity of a possible risk and the adequacy of protective measures, which in turn also depend on the type of data and the severity of the risk. Hence, in the EDPB's view, a data transfer under Art. 46(2)c) GDPR is not subject to the principle of the risk-based approach. A TIA under clause 14 of the SCC would accordingly be limited exclusively to the assessment of the adequacy of the legal situation and legal practices with regard to the level of protection.

In this respect, the EDPB remains inconsistent already in its own explanations. After all, it states elsewhere: "They may also take into account documented practical experience of the importer with relevant previous cases of requests for information from authorities in the third country.".⁴⁶ This means that probabilities of occurrence - namely in the assessment of legal practice - can very well be included in the assessment. In this regard, From the explanations in the footnotes it can be seen that the EDSA certainly assumes a connectivity of the (risk-based) measures of Art. 32 and the guarantees according to Art. 46 GDPR.⁴⁷ Nevertheless, a representative of the German supervisory authorities recently emphasised once again that the EDPB's explanations should in no way be understood as a risk-based approach. ⁴⁸

Conclusion

Thus, the EDPB imposes on the responsible data exporter within the framework of the TIA, on the one hand, a comprehensive examination of the legal situation and legal practice of the third country, which the supervisory authorities themselves are not in a position to carry out and which goes beyond what is required by Art. 46 GDPR. Besides the fact that these requirements set by the EDPB seem cynical to the medium-sized company that maintains its IT department in India and is therefore dependent on the transfer of employee data, this also contains a positive momentum: the supervisory authorities must be able to prove a violation of the GDPR in a specific case. However, if they themselves are not in a position to assess the foreign jurisdictions including their practices and have to obtain legal opinions from third parties for this purpose, the authorities will not be able to provide the corresponding evidence in their everyday work. In other words, the TIA required by the authorities, which is almost exclusively geared to the legislation and jurisdiction of the recipient country, is not something that the authorities themselves will be able to examine in terms of content.⁴⁹

On the other hand, the TIA according to clause 14 of the SCC under Art. 46(2)c) is, in the view of the DPAs, exclusively limited to the legal situation and practice of the third country and deprived of the application of the principle of the risk-based approach. The EDPB justifies this by stating that the ECJ did not refer to any subjective factor such as the probability of access in the Schrems II ruling.⁵⁰ However, this reasoning does not last due to numerous aspects, as the further explanations will show.

III. Admissibility of a more risk-oriented interpretation of Art. 46 (2) c) GDPR

The EDPB recommendation described above leads to a "0-tolerance" interpretation of Art. 46 (2) c) GDPR. It leaves no room for a risk-oriented assessment in the specific case and counteracts the obligation to a TIA laid down in clause 14 of the SRP, which allows such an assessment. This is not convincing. There are better arguments for a more risk-oriented interpretation. The decisive premise for the TIA is: If data is transferred to a third country and the exporter cannot know with absolute certainty whether processing in breach of European law will occur in the specific case during and after the transfer, then the data exporter may engage in a proportionality assessment that also includes the concrete risks. In the risk modelling, the probability that a violation of European law will actually occur in the third country in the specific case must also exceed a certain materiality threshold. If the data exporter comes to the conclusion in the context of the TIA that this materiality threshold will not be exceeded in the specific data transfer, he fulfils the requirement of Art. 46 (1), (2) c) GDPR. Hypothetical risks without any reference to the specific transfer to a third country are therefore not sufficient to attest to its unlawfulness. ⁵¹

1. Like Seed, Like Harvest: Schrems II's Equalisation of All Chapter 5 Instruments

The starting point for the “0-tolerance” interpretation of the EDPB could initially be found in a legal acrobatics performed by the ECJ in Schrems II: The ECJ stated that via Art. 44 p. 2 GDPR, the same standard for the level of protection should apply to all types of data transfers in Chapter 5, regardless of the security instrument (e.g. SCC), specifically “ensuring … a level of protection essentially equivalent to that which is guaranteed within the European Union”⁵² The EDPB now seems to assume that if the adequacy decision (AB) for a third country (e.g. Privacy Shield) is not "essentially equivalent " to European law, other instruments from Chapter 5 (e.g. SCCs) can only be used for a transfer to that same third country (e.g. USA) if any collision between the obligations under the SCCs and the legal situation in the third country is excluded, irrespective of the concrete individual case. Both this equalisation of fundamentally different security instruments and the dogmatically dubious derivation of the uniform standard created for this ("essentially equivalent") by Schrems II are not only problematic, but must be refused.

Gulczynska aptly analyses this:":⁵³ "Essentially equivalent " is a requirement mentioned only in Recital (RC) 104. However, RC 104 is only relevant for the interpretation of Art. 45, i.e., for adequacy decisions. "Essentially equivalent" in turn finds its origin in the ECJ decision on Schrems I⁵⁴ and the interpretation of the former Data Protection Directive (DPD)⁵⁵ regarding the then applicable adequacy decision "Safe Harbour"⁵⁶. Even here, the combination of "adequate level of protection" (wording of Art. 25 DPD) and "essentially equivalent " (addition by the ECJ) was subject to systematic criticism. "Essentially equivalent " was only found in one RC of the DPD, which exclusively concerned intra-European situations and not non-European data transfers. Schrems II unfortunately continues this approach. This leads, in very brief form, to conflicts with other core principles of the EU (e.g., the rule of law and legal certainty) as well as to various systematic breaks and open questions of interpretation within the GDPR.

2. Article 46 has a different protection mandate and scope than Article 45

If one compares the individual safeguard instruments in Chapter 5 of the GDPR with each other, structural differences in the scope and focus of the protection granted become apparent, which already speak against an "equalisation" of Art. 45 and 46. While the European Commission assesses the level of protection of a recipient country by means of an adequacy decision in a time-consuming and formalised procedure at the first stage generically, i.e. independently of the sector, business process and company, on the basis of the legislation "for" the exporter (Art. 45 GDPR), the SCC is precisely about an inter-organisational and transfer-related assessment on the basis of a TIA to be documented for the specific case by the parties themselves (Art. 46 GDPR). If neither Art. 45 nor Art. 46 GDPR apply, Art. 49 GDPR allows the transfer for very specific exceptional situations without having to carry out such a detailed TIA as in the case of the SCC. In this respect, the SCCs are in the "middle" of both instruments and, unlike the adequacy decision, have a self-regulatory character with regard to the exporter.

3. Self-regulation and dealing with risks are inherent in the SCCs

There are several instruments in the GDPR for self-regulation, e.g., the specification of technical and organisational measures according to Art. 32 GDPR or the examination and handling of potential high-risk processing and the obligation to carry out a Data Protection Impact Assessment in terms of Art. 35 GDPR. What these instruments have in common is that they grant the controller a forecasting latitude in decision-making to scale the protective measures when dealing with the uncertainties involved. Nothing else applies to the duty of TIA according to the SCCs: A TIA is according to its objective, inextricably linked to uncertainties that require premises.⁵⁷ To determine the factual basis necessary for the TIA alone is a more than complex undertaking for the parties, which in parts will be beyond the data exporter's possibilities of insight, assessment and influence (see II.). The EDPB also seems to recognise this problem in principle ("may clearly indicate", "may be lacking", "may be problematic", "may be unclear", "no reason to believe").⁵⁸ Moreover, the idea is also reflected in the wording of Art. 46 (2) GDPR, which speaks of "appropriate safeguards". What is "appropriate" can only be determined after a risk-oriented assessment. This is also consistent, for example, with regard to Art. 32 (1) GDPR, which requires the definition of "measures" that are also⁵⁹ " appropriate " to ensure the protection of data confidentiality (Art. 32 (1) b) GDPR). What is "appropriate" is to be determined there by considering, among other things, "the nature, scope, context and purposes of processing as well the risk of varying likelihood and severity for the rights and freedoms of natural persons" (see II.) In other words, there can be no absolute protection of confidentiality, so there is also an examination of proportionality. This is in the nature of things: no data processing is without risk - this applies to domestic and intra-European, but also to international data transfers. Therefore, a selection decision that takes into account the actual risks of the processing also serves as a corrective to the seemingly absolute protection of personal data and thus to maintain proportionality.

4. Proportionality guards against inadmissible data localisation

Apropos: The ECJ also noted in Schrems II that the protection of personal data is not absolute ("However, the rights enshrined in Articles 7 and 8 of the Charter are not absolute rights but must be considered in relation to their function in society ").⁶⁰ see Art. 52 para. 1 sentence 2 CFR. The enforcement of the "0-tolerance" interpretation by the authorities inevitably interferes with the rights and freedoms of third parties granted by the CFR, namely freedom of information (Art. 11 CFR), freedom to conduct a business (Art. 16) and right to property (Art. 17). These legal interests must be weighed in the balance in official enforcement, as must the data protection grant by Art. 8, 7 CFR. Only a risk-oriented interpretation preserves this proportionality. Therefore, it is also consistent that the risk-based approach refers to all processing operations, including transfers pursuant to Art. 44 of the GDPR (see II.). An interpretation to the contrary opens the door to a de facto localisation of data within the EU as a result of the GDPR. Incidentally, this effect can also occur if one considers that the ECJ itself does not define in Schrems II what is specifically meant by "additional measures", so that recommendations by European supervisory authorities (see II.) also do not bring any legal certainty and, moreover, the other mechanisms of Art. 45 et seq. GDPR do not offer any substitute for the SCC that is relevant in business practice.⁶¹ The use cases of the EDPB do the rest by taking many traditional business processes in the international context ad absurdum in a "one-size-fits-all" manner (see II.). This whole effect would run counter to proportionality. This also applies to the understanding that the GDPR has of the importance of international data transfers for international trade (RC 101, sentence 1), and would counteract efforts by the EU to avoid international trade barriers (e.g. in the WTO). ⁶² It is therefore not far-fetched to criticise that the compliance requirements of the GDPR have created a de facto requirement for non-EU data processors to localise data, which would have made it impossible under Art. XVI, XVII GATS. ⁶³

5. Conclusion

No "subjective" or even arbitrary results follow from a risk-oriented interpretation, which would have to be disregarded in the usability of SCC according to Art. 46 (2) c) GDPR. The calculation of the probability can be carried out in a regular, objectively comprehensible manner and by reverting to instruments proven in other disciplines.⁶⁴ A very good example is the tool developed by Rosenthal for "Cloud Computing: Risk Assessment of Lawful Access By Foreign Authorities ". ⁶⁵

IV. Conclusion and recommendations

According to the current legal opinion of the EDPB as well as national supervisory authorities,⁶⁶ only the law and practice of the recipient country must be assessed in the context of third country transfers under Art. 46 (2) c) GDPR as part of a transfer impact assessment. This is also shown by current enforcement practice.⁶⁷

Apart from the fact that the opinion of the supervisory authorities has no binding effect,⁶⁸ it does not stand up to closer scrutiny. As shown, the principle of the risk-based approach of the GDPR must also be considered in a transfer impact assessment within the meaning of Art. 46 (2) c) GDPR and clause 14 b) of the SCC and included via a proportionality assessment. Decisions of the EU Commission, such as the implementing decision on the SCC, are EU secondary law according to Art. 288 TFEU and are binding.

For HR departments, this means the following:

Data transfers to unsafe third countries must be subjected to a transfer impact assessment, regardless of whether they are group internal or external. Otherwise, the requirements according to Art. 46 (2) c) GDPR and clause 14 of the SCC are not fulfilled, and the data transfer is therefore unlawful.⁶⁹ This initially seems to mean a massive additional workload for HR departments. Especially if one only thinks of the manifold data transfers in applicant and personnel management systems. However, if these have already been properly documented in the record of processing activities according to Art. 30 GDPR and analysed within the framework of a threshold analysis in the sense of Art. 35 GDPR, the step to a TIA is no longer a big one. This is especially true when one considers the effort that is regularly required to change such a system. Contrary to the rather impractical assumption of representatives of the authorities⁷⁰ that an applicant management system can be changed without any problems, the reality shows that in more than 50% of the companies at least twelve months and thus considerable financial and personnel resources have to be planned for this.⁷¹ As a rule, it will be even more difficult to dissolve grown work processes and thus data transfer processes in larger groups, especially in case of shared service centres.

Against this background, a risk-based TIA is the obvious and regularly also more cost-effective step to verify whether the existing data transfers can be continued in conformity with the law.

The concrete possibilities for the implementation of a TIA in the sense of clause 14 of the SCC, in particular about structure and frequency, are still under discussion due to the just recent publication.⁷² We will certainly contribute to this discussion again.

^* Nina Diercks has been working as a lawyer since 2010 and runs the Anwaltskanzlei Diercks (Diercks Law Firm) in Hamburg, Germany. She practices nationwide exclusively in the areas of IT law, data protection law and the related labour law.
^** Heiko Roth is an internal data protection officer in the corporate environment - the views expressed here reflect exclusively the private opinion of the author.
¹ These are countries outside the scope of the GDPR, also called third countries (Art. 45 GDPR).
² See: Diercks, Datenübermittlung im Konzern - Rechtsgrundlagen und formelle Anforderungen: Existiert ein Konzernprivileg und sind Intercompany-Verträgen eine Lösung?, 10.05.2020, Diercks Digital Recht Blog, https://kurzelinks.de/0tzx [05.07.2021].
³ HmbfDI, Koordinierte Prüfung internationaler Datentransfers, https://kurzelinks.de/se2x [05.07.2021].
⁴ HmbfDI, Koordinierte Prüfung internationaler Datentransfers; Fragebogen Bewerbermanagementsysteme, https://kurze-links.de/b90d und Fragebogen konzerninterne Datentransfers, https://kurzelinks.de/xlus [05.07.2021].
⁵ ECJ, 16.07.2020, C-311/18 - Schrems II, https://kurzelinks.de/xviv [05.07.2021]; see only Benedikt ZdiW 2021, 12 et seq. and Filusch ZdiW 2021, 9 et seq.
⁶ DIGITALEUROPE et al, Schrems II - Impact Survey Report, Nov. 2020, https://kurzelinks.de/6bgh [05.07.2021]; IAPP, IAPP-EY Annual Privacy - Governance Report 2019, p. 77; currently the UK is also working on new SCCs as a result of Brexit, see: ICO, Five things we learned from the DPPC 2021, https://kurzelinks.de/ve87 [05.07.2021].
⁷ ECJ, 16.07.2020, C-311/18, para 134, https://kurzelinks.de/xviv [05.07.2021].
⁸ ECJ, 16.07.2020, C-311/18, para 134, https://kurzelinks.de/xviv [05.07.2021].
⁹ ECJ, 16.07.2020, C-311/18, ruling no. 3, https://kurzelinks.de/xviv [05.07.2021].
¹⁰ Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, OJ L 199, p. 31 (hereinafter: Standard Contractual Clauses on third country transfers - SCC), https://kurzelinks.de/f5e4 [05.07.2021].
¹¹ EDBP, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, 18.06.2021, https://kurzelinks.de/9pky [05.07.2021].
¹² Veil, DSGVO: Risikobasierter Ansatz statt rigides Verbotsprinzip - Eine erste Bestandsaufnahme, ZD 2015, 347, 347 f.
¹³ EDPB, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 (WP248 rev0.1), 04.10.2017, p. 6: https://kurzelinks.de/x5x3 [05.07.2021].
¹⁴ In detail on the example of Art. 35 GDPR: Hense/Roth, ComplianceBerater 2020, p. 276, 276 f. with further references.
¹⁵ cf. Ehmann/Selmayr - Heberlein, DSGVO, 2nd ed. 2018, Art. 5, marginal no. 30; in conclusion also: Gola - Piltz DSGVO, 2nd ed. 2018, Art. 24 marginal no. 19; Busche.v./Voigt - Voigt, Konzerndatenschutz, 2nd. Auflage 2019, Risikobasierter Ansatz in der DSGVO, Teil 3, Kapitel 2, C; instructive also: Koreng/Lachenmann - Witt, Formularhandbuch Datenschutzrecht, 2nd edition 2018, Einführung zum risikobasierten Ansatz in der DSGVO, Ziffer C. V. 2..
¹⁶ Ehmann/Selmayr - Heberlein, DSGVO, 2nd ed. 2018, Art. 5 marginal no. 30; in conclusion also: Gola - Piltz DSGVO, 2nd ed. 2018, Art. 24 marginal no. 19; see on this already: Council DC. no. 6607/1/13 REV1 v. 1.3.2013, https://kurzelinks.de/pbfs [05.07.2021]; instructive: Veil - DSGVO: Risikobasierter Ansatz statt rigides Verbotsprinzip - Eine erste Bestandsaufnahme, ZD 2015, 347, 347 f.
¹⁷ Ehmann/Selmayr - Heberlein, DSGVO, 2nd ed. 2018, Art. 5 marginal no. 30.
¹⁸ Standard Contractual Clauses on Third Country Transfers, https://kurzelinks.de/f5e4 [05.07.2021].
¹⁹ Golland ZD 2020, 2593, 2594.
²⁰ European Data Protection Board (EDBP).
²¹ EDBP, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10.11.2020, [henceforth: EDBP, Recommendations 01/2020 Measures Transfer Tools] https://kurzelinks.de/zfmi [05.07.21]; EDPB, Recommendations 01/2020 Version 2.0 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18.06.2021, [henceforth: EDPB, Recommenda-tions 01/2020 Version 2.0], https://kurzelinks.de/9pky; [05.07.21]; EDPB Recommendations 02/2020 on the essential Euro-pean safeguards in relation to supervision measures, 10.11.2020, [henceforth: EDPB Recommendations 02/2020 Supervision measures], https://kurzelinks.de/25l3 [05.07.21].
²² Cf. EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021], marginal no. 52, https://kurzelinks.de/9pky, [03.07.2021]: In addition to technical measures, marginal no. 52 also mentions contractual and organisational measures as possible addi-tional measures; in marginal no. 53, however, it is immediately made clear that, in the view of the EDPB, these alone cannot be sufficient to adequately safeguard a problematic legal situation and/or practice.
²³ Standard Contractual Clauses on Third Country Transfers, https://kurzelinks.de/f5e4 [05.07.2021].
²⁴ European Data Protection Board, independent body of the EU, which is to ensure the uniform application of the GDPR and is staffed with representatives of the national supervisory authorities; recommendations of the EDPB are not binding.
²⁵ EDPB, Recommendations 01/2020 Measures Transfer Tools, 10.11.2020, https://kurzelinks.de/zfmi [05.07.2021].
²⁶ EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, https://kurzelinks.de/9pky, [05.07.21].
²⁷ EDPB/EDPS Joint Opinion 2/2021 on the European Commission Implementing Decision on Standard Contractual Clauses for Transfers of Personal Data to Third Countries, [henceforth: EDPB/EDPS Joint Opinion 2/2021 Standard Contractual Clauses] https://kurzelinks.de/nroy [05.07.2021].
²⁸ EDPB, Recommendations 01/2020 Measures Transfer Tools, 10.11.2020, p. 3, https://kurzelinks.de/zfmi: EDPB, Recom-mendations 01/2020 Version 2.0, 18.06.2021, p. 3, https://kurzelinks.de/9pky [05.07.2021].
²⁹ See point I.
³⁰ EDPB Recommendations 02/2020 Monitoring Measures, 10.11.2020, https://kurzelinks.de/25l3 [05.07.2021].
³¹ Charter of Fundamental Rights of the European Union. Latest consolidated version: OJ C 326, 26.10.2012, p. 391: https://kurzelinks.de/8xva [05.07.2021].
³² EDPB, Recommendations 02/2020 Surveillance Measures, 10.11.2020, marginal no. 24: https://kurzelinks.de/25l3 [05.07.2021].
³³ EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, marginal no. 43, https://kurzelinks.de/9pky [05.07.2021].
³⁴ EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, marginal no. 43.1 f., https://kurzelinks.de/9pky [05.07.2021].
³⁵ Cf. EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, marginal no. 38 https://kurzelinks.de/9pky [05.07.2021].
³⁶ Cf. EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, marginal no.
³⁷ https://kurzelinks.de/9pky [05.07.2021]. Cf. EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, marginal no. 37 https://kurzelinks.de/9pky [05.07.20].
³⁸ EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, marginal no. 44-47, https://kurzelinks.de/9pky [05.07.2021].
³⁹ Thus, a representative of a supervisory authority at the Munich KnowledgeNet of the IAPP on 17.11.2020, see Stephan Schmidt, https://twitter.com/stephanschmidt/status/1328610601292210176 [05.07.2021]; cf. also: Benedikt ZdiW 2021, 12.
⁴⁰ According to: Minutes of the 101st Conference of the DSK of 28/29 April 2021, Item 20, https://www.datenschutzkonfer-enz-online.de/media/pr/21010621_protokoll_zur_101_DSK.pdf [05.07.2021].
⁴¹ See section III.
⁴² ECtHR, Case of Kennedy v. The United Kingdom, c. 26839/05, 18 May 2010, https://kurzelinks.de/u5ix [05.07.2021]; Euro-pean Union Agency for Fundamental rights -Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU, Volume I: Member States' legal frameworks, 2017, 51-54, https://kurzelinks.de/7oqs [05.07.2021].
⁴³ Cf. EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, marginal no. 49 https://kurzelinks.de/9pky [05.07.2021].
⁴⁴ EDPB/EDPS, Joint Opinion 02/2021 Standard Contract Clauses, 18.06.2021; marginal no. 86, https://kurzelinks.de/nroy; EDPB, Recommendations 01/2020 Version 2.0, No. 33 ff and No. 54, https://kurzelinks.de/9pky [05.07.2021].
⁴⁵ EDPB/EDPS, Joint Opinion 02/2021 Standard Contract Clauses, 18.06.2021; marginal no. 86, https://kurzelinks.de/nroy; see also EDPB, Recommendations 01/2020 Version 2.0, marginal no. 33 ff and marginal no. 54, https://kurzelinks.de/9pky [05.07.2021].
⁴⁶ EDPB, Recommendations 01/2020 Version 2.0, marginal no. 47, https://kurzelinks.de/9pky [05.07.2021].
⁴⁷ EDPB, Recommendations 01/2020 Version 2., 18.06.2021, p. 18, fn. 55, https://kurzelinks.de/9pky [05.07.2021].
⁴⁸ Ambrock, Head of the Schrems II Taskforce of the German Länder, on 29.6.2021 at the online lecture "Implementation of the Schrems II Decision and New Standard Contractual Clauses of the EU Commission" of the Liechtenstein Data Protection Association, https://kurzelinks.de/xppy [05.07.2021].
⁴⁹ Cf. Benedikt ZdiW 2021, 12; instructive also on the limits of supervisory action: Schwartmann/Burkhardt ZD 2021, 235, 240.
⁵⁰ Joint Opinion 2/2021 EDPB/EDPS Standard Contractual Clauses; marginal no. 87, https://kurzelinks.de/tlio [05.07.2021].
⁵¹ Conseil d'État, 12.03.2021, Ordonnance de référé N° 450163, https://kurzelinks.de/ypub; Conseil d'État, 13.10.2020, Or-donnance de référé N° 444937 https://kurzelinks.de/35wi [05.07.2021]. The proceedings were conducted on an interim relief basis, and the existence of obvious or serious violations of the data processing in question was examined.
⁵² ECJ, 16.07.2020, C-311/18, paras 92, 96, https://kurzelinks.de/xviv [05.07.2021].
⁵³ In the following and in detail: Gulczynska, IDPL, A certain standard of protection for international transfers of personal data under the GDPR, 2021, online version via Oxford University Press, https://kurzelinks.de/u09w [06.07.2021].
⁵⁴ ECJ, C-362/14, 06.10.2015, https://kurzelinks.de/9pky [06.07.2021].
⁵⁵ Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31.
⁵⁶ Commission Decision of 26.07.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour principles and related frequently asked questions issued by the US Department of Commerce, OJ L 215, 25.08.2000, p. 7
⁵⁷ Kuner, The Schrems II judgment of the Court of Justice and the future of data transfer regulation, 17.07.2020, https://kur-zelinks.de/yi72: “mini adequacy decisions“. [05.07.2021]
⁵⁸ EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, S. 17 Rn. 43.1 - 43.3, https://kurzelinks.de/9pky [05.07.2021].
⁵⁹ The EDPB also seems to assume a connectivity of the measures of Art. 32 and the safeguards under Art. 46 GDPR: EDPB, Recommendations 01/2020 Version 2.0, 18.06.2021, S. 18 Rn. 55, S. 2, https://kurzelinks.de/9pky [05.07.2021].
⁶⁰ ECJ, 16.07.2020, C-311/18, para. 172, https://kurzelinks.de/55fg [05.07.2021].
⁶¹ Chander, Is Data Localization a Solution for Schrems II?, in: Journal of International Economic Law (Draft), 27.07.2020, p. 4 ff, https://kurzelinks.de/v9fe [05.07.2021].
⁶² Chander, Is Data Localization a Solution for Schrems II?, in: Journal of International Economic Law (Draft), 27.07.2020, p. 12 with further references, https://kurzelinks.de/v9fe [05.07.2021].
⁶³ Meddin: The Cost of Ensuring Privacy: How the General Data Protection Regulation Acts as a Barrier to Trade in Violation of Articles XVI and XVII of the General Agreement on Trade in Services, American University International Law Review: Vol. 35, Issue 4, p. 997 (1022 ff.).
⁶⁴ Steinbrück, CR 2020, 780 ff. using the example of the DPIA; for more in-depth information on the DPIA also: Hense/Roth, ComplianceBerater 2020, 276 ff., 330 ff.
⁶⁵ Rosenthal, Cloud Computing: Risk Assessment of Lawful Access By Foreign Authorities, Version 5.01, 03.07.2021, https://kurzelinks.de/v9aq [05.07.2021].
⁶⁶ DSK press release of 21.06.2021 Supplementary checks and measures needed despite new EU standard contractual clauses for data exports, https://kurzelinks.de/u3kv [07.07.20 21].
⁶⁷ For example, the Portuguese DPA: CNPD (Comissão Nacional de Proteção de Dados), 11.05.2021, Deliberação/2021/622; CNPD, 27.04.2021, Deliberação/2021/533, https://kurzelinks.de/ztzz [05.07.2021].
⁶⁸ See Art. 288 TFEU.
⁶⁹ BayLDA, 15.03.2021, LDA-1085.1-12159/20-IDV: https://kurzelinks.de/a4rc [06.07.2021].
⁷⁰ Accordingly: Ambrock, Head of the Schrems II Taskforce of the German Regional DPA on 29.6.2021 at the online lecture "Implementation of the Schrems II decision and new standard contractual clauses of the EU Commission" of the Liechtenstein DPA, https://kurzelinks.de/xppy [05.07.2021].
⁷¹ Survey on switching from Recruiting-/HR-Management-Systems among HR managers with 127 participants; instructive also the comments under the survey, https://twitter.com/RAinDiercks/status/1410226493419106309?s=20 [06.07.2021].
⁷² Instructive already before the SCC: CIPL, A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision, 24.09.2020, https://kurzelinks.de/4u6y [06.07.2021].