The question of personal data protection is regularly assessed in light of numerous data transfers, intra-EU or extra-EU. 5 years after the implementation of GDPR, an overview of the applicable rules.
The processing of personal data
Personal data, sensitive data
Personal data are classified into categories within the General Data Protection Regulation (GDPR). According to the GDPR, personal data refers to any information relating to an identified or identifiable natural person. This may include information such as name, first name, email address, postal address, telephone number, age, etc. (Article 4 of the GDPR).
Among these data, some relate to specific categories of data which require specific protection because they are likely to generate significant risks for the rights and freedoms of the individuals concerned (considering paragraph 51 of the GDPR). The GDPR lists these data, which correspond notably to information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or sexual orientation (Article 9 of the GDPR).
The collection and processing of such data are subject to stricter restrictions under Article 9 of the GDPR, requiring, for example, a specific legal basis (such as the obtaining of explicit consent) and enhanced security measures.
Processing, collection, storage of personal data.
Every data controller or DPO is required to carry out various data processing activities, whether it concerns the collection, storage and processing of this data, in the context of human resources, marketing, commercial prospecting or debt collection.
The concept of processing personal data encompasses any operation concerning personal data, whether it involves organizing it, structuring it, analyzing it, modifying it, deleting it, etc. Collection and storage are among these various data processing activities.
Each processing must be implemented in accordance with specific purposes (Article 5 GDPR) and is likely to involve a significant number of data (name, first name, email, IBAN, billing). Similarly, certain operations may also result in the processing of sensitive data (recovery, insurance management, litigation…).
This title, the collection of data constitutes an essential process for obtaining information relating to the individuals concerned, which can be carried out through forms, tracers on websites, or other means in accordance with current legislation and regulations, including the GDPR and the Law on Information and Freedoms. Ensuring compliance with this collection is crucial for processing data within a secure framework.
The processing and storage occur downstream of the collection and corresponds to the phase of modification and processing followed by the secure conservation of data. This latter conservation must be determined and limited.
These different treatments often require data transfers, between entities or to actors located outside of the European Union (for example, via the use of non-European applications or tools). This aspect must also be regulated.
The different types of personal data transfers
Business-to-business transfers
Article 48 of the GDPR provides that: “Data controllers who are part of a group of undertakings or affiliated establishments within a central organisation may have a legitimate interest to transmit personal data within the group of undertakings for internal administrative purposes, including the processing of personal data relating to clients or employees. The general principles governing the transfer of personal data, within a group of undertakings, to a company located in a third country are not called into question.”
In this context, it is possible to transfer data between entities within the same group. For example, within a group comprising a parent company and its subsidiaries, payroll data and performance evaluations such as those relating to employees may be collected and managed by the subsidiaries and transferred to the parent company for purposes of group-wide human resources management. Similarly, subsidiaries may collect data on clients residing in other countries and share this information with the parent company located in another country, for commercial analysis purposes, or for the provision of services to the group’s clients, among others…
The transfer of data within the group must be implemented in accordance with the principles of Article 5 of the GDPR. It must also differentiate whether these transfers take place within the European Union or not. Generally, these transfers are also regulated via internal policies of the relevant group, in order to allow for the uniform application of applicable legislation and regulation. A case-by-case analysis of applicable provisions remains necessary, prior thereto.
These transfers are subject to review. This is evidenced by the CNIL’s deliberation dated September 18, 2023. In this case, the CNIL had sanctioned the company SAF LOGISTICS for the transfer of sensitive data from some of its European employees to the parent company in China, without the implementation of appropriate safeguards.
Transfers between data controllers and subcontractors
Situations relating to data transfers between the data controller and subprocessor must also be taken into account. In this context, compliance with data protection standards proves more complex. Indeed, compared to data transfers within the same group of companies, the transfer between a data controller and its subprocessors involves additional challenges. Indeed, as these entities are wholly separate legal persons and are not part of the same group, their compliances can diverge significantly, in the absence of organizational links unlike companies belonging to the same group. This will require the data controller to determine whether its subprocessor complies or not.
To govern transfers and processing of personal data between the data controller or DPO and subcontractors, the provisions of Article 28 of the GDPR provide for various obligations. Processing carried out by the subcontractor on behalf of the data controller must be formalized through a legal act, generally a contract. This contract must contain clauses relating to data protection, including elements such as data security, their transfer, and the responsibilities of each party. More generally, this contract contains the framework established to allow the subcontractor to process the data that has been transferred to it by the data controller.
International transfers (outside the European Union)
Strict rules are provided by the GDPR concerning the transfer of personal data to third party countries outside the European Union or international organizations.
Indeed, in the matter of data transfers outside of the EU, several mechanisms are provided for under the GDPR (partly inherited from Directive 95/46):
Adequacy decisions – Article 45 of the GDPR: The European Commission may recognize by a decision an “adequacy” that a third country, a territory or several sectors within that third country, or an organization ensures an adequate level of data protection, facilitating transfers to that country without specific authorization. The list of these countries is regularly updated by the Commission.
Standard Contractual Clauses – Type Clauses Article 46 of the GDPR: Businesses can utilize type clauses implemented by the European Commission to govern certain data transfers and ensure a level of data protection comparable to that of the GDPR. These clauses were revised and specified on June 4, 2021.
Binding Company Rules (BCR) – Article 47 of the GDPR: Companies may establish binding company rules approved by the data protection authorities for the transfer of personal data within the group. These rules are binding on all relevant entities of the company group.
Derogations for specific situations – Article 49 of the GDPR: This article provides a list of derogations in relation to data transfers, in the absence of an adequacy decision or binding corporate rules. Among these derogations, the GDPR provides for the explicit consent of the individuals concerned, which may be required to authorize the transfer of personal data outside the EU, as well as the performance of a contract or for reasons of public interest.
Security of personal data transfers
Risks associated with the transfer of personal data
Transfers of personal data outside of the European Union may present several risks to the protection of personal data, namely the lack of protection by legislation less strict than that of the EU, which exposes the data of the individuals concerned to levels of protection lower. Indeed, once data has been transferred outside of the European Union, it may be difficult for the individuals concerned and EU supervisory authorities to monitor this data and the way in which it is used, stored and protected or not.
Individuals may not be able to seek redress in certain countries to remedy potential breaches of their data, which can make it difficult in practice to protect their rights. Furthermore, the level of data protection can vary considerably from one country to another, or even be called into question by other imperatives, notably in the area of government surveillance.
To assess these differences in legislation or regulation, the European Commission takes into account criteria related to those mentioned previously (Article 45 of the GDPR).
She highlighted that it was crucial to ensure that personal data transferred outside the EU benefited from protection equivalent to that guaranteed within the EU, in accordance with the GDPR requirements, in order to avoid any risk of violation of data protection regulations, as underlined by Recital 104 of the GDPR: “ […] The third country should offer guarantees to ensure an adequate level of protection essentially equivalent to that which is guaranteed in the Union […]”
Measures of security to deploy in the event of data transfers
Following the invalidation of the “Privacy Shield” transfer agreement between the EU and the United States by Judgment Schrems II of the Court of Justice of the European Union, the European Data Protection Board (EDPB) played a central role in guiding and orienting relevant entities in Europe, within the framework of the regulation of their transfers of data to third countries. These recommendations also aimed to ensure the consideration of the standards set by the Court of Justice.
The EDPB thus published its recommendations (Recommendations 01/2020 on measures supplementing transfer instruments to ensure the GDPR level of protection of personal data Adopted on 10 November 2020) which aim to assist stakeholders in identifying and implementing the supplementary measures required by the state of the law.
Indeed, these recommendations aimed to supplement the provisions of the GDPR, based on the case law of the CJEU, in order to specify the additional means that data controllers and processors must adopt to ensure an adequate level of protection when transferring data to third countries.
These recommendations aim, in particular, to provide methodologies for assessing whether additional actions are necessary to secure data transfers and which to choose. The goal is to ensure that personal data transferred benefits from adequate protection within the third country, in accordance with the GDPR and the Schrems II judgment by the CJEU.
Court of Justice of the European Union, 16 July 2020, C-311/18: 134 “It shall, firstly, be for the data controller or its sub-processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the transfer, whether the law of the third country of destination ensures an adequate level of protection, with regard to Union law, of personal data transferred on the basis of standard contractual clauses for data protection, providing, as necessary, supplementary guarantees to those offered by such clauses.”
In its recommendations 01/2020, the CEPD specifies the nature of supplementary measures, which may be:
- Contractual measures (notably through the implementation of clauses and annexes to the contract which strengthen transparency (pt99, 103 and following))
These measures may be implemented as audits and inspections of the data importer’s data processing facilities, on-site or remotely, to verify whether data has been disclosed to public authorities and under what conditions (pt105 and following).
When the country where the importer is located initially respects data protection standards similar to those of the EU for transferred data, the data exporter may require the importer to promptly notify it if it cannot comply with the terms of the contract, in particular with regard to the similar level of data protection. This inability may result in particular from changes in the legislation or practice of the third country (pt107, 108 and following).
- Organizational measures:
It concerns measures such as internal policies and internal standards applied by data controllers and subcontractors which can be implemented to ensure the protection of personal data. These latter help to raise awareness among exporters regarding the risks associated with access to data in third countries and strengthen their responsiveness.
Nevertheless, the EDPB added that the sole implementation of such organizational measures did not guarantee that data transfers complied with the required equivalence standard set by EU provisions. Organizational measures should be supplemented by contractual and technical measures depending on the circumstances in order to ensure a level of protection of personal data essentially equivalent to that guaranteed within the EU (pts 122 and following).
- Technical measures:
In the various technical measures mentioned, the EDPB lists pseudonymisation (pt80), encryption (pt84), the transfer of data to a data importer in a third country specifically protected by national law as a protected recipient (pt85), or alternatively, fragmented or multipartite data processing (pt86).
The CEPD recommendations also highlight (as stipulated by the CJEU in its Schrems II judgment) that if the importer is unable to comply with the data protection clauses of the contract, the exporter and the importer must cease the transfer or terminate the contract (pt5).
Sometimes, even with additional measures, it may be impossible to guarantee an equivalent level of protection. In such cases, the exporter must cease the transfer to avoid compromising data protection.
Generally, the EDPB has highlighted that every exporter must carefully evaluate the supplementary measures implemented and document them (summary of recommendations 01/2020).
Although Article 35 of the GDPR does not mention data transfers, the use of a data protection impact assessment may prove relevant to assess the risks to the rights and freedoms of the individuals concerned, as well as the measures envisaged to address any potential risks, including safeguards and security mechanisms to ensure data protection. The European Data Protection Board has thus advocated for a form of impact assessment dedicated (“transfer impact assessment”).
