Romania: Updates on transfers of personal data to third countries
1. Case-law digest on the transfer of personal data to third countries
The European Data Protection Supervisor has published a case-law digest on the transfer of personal data to third countries¹. The case-law digest aims to clarify the structure of the analysis carried out by the Court of Justice of the European Union (“CJEU”) in judgments concerning the transfer of personal data to third countries, in particular by highlighting the steps followed and the jurisprudential acquis in relevant case law.
The digest also uses case studies to address nine questions on how organisations should approach future transfers, as follows:
When does a transfer to a third country within the meaning of Chapter V of the GDPR take place?
What are the powers available to the national supervisory authorities in respect of the transfers?
What is meant by an adequate level of protection?
What is meant by transfers of personal data as interference?
When and subject to which conditions have SCCs been considered valid by the CJEU as a tool for transfer of personal data?
What is meant by effective judicial and administrative redress?
What is meant by the duty to notify to the data subject the transfer of personal data?
Are specific safeguards needed in case of transfer of personal data subject to automated processing or involving sensitive data?
What are the data protection requirements in case of onward transfer of personal data?
2. New Standard Contractual Clauses for the transfer of personal data to third countries
On 4 June 2021, the European Commission (“Commission”) adopted a new set of Standard Contractual Clauses (“SCCs”) for data transfers from controllers or processors in the European Union (“EU”)/European Economic Area (“EEA”) to controllers or processors established in third countries pursuant to the General Data Protection Regulation (“GDPR”).
The new SCCs provide some clarity for cross-border data transfers, by replacing the old clauses and endeavouring to resolve the legal uncertainties regarding transfers of personal data to third countries arising from the CJUE decision in Schrems II which invalidated the EU-U.S. Privacy Shield.
The new SCCs come into force on 27 June 2021. Nevertheless, there are two transitional periods, giving companies time to enter into the new SCCs.
Regarding contracts already executed using the existing SCCs, companies have to update their SCCs by 27 December 2022, provided that processing operations that are the subject matter of the contract remain unchanged during that period and the personal data transferred is subject to appropriate safeguards.
In regard to the new agreements, organizations may use the existing SCCs until 26 September 2021. Such agreements will be deemed to provide proper safeguards until 27 December 2022, subject to the same circumscriptions mentioned above. On the other hand, such new contracts could use the new SCCs.
Note: From 27 September 2021, all new agreements for the processing of personal data must use the new SCCs.
In the absence of a decision by the Commission stating that the third country ensures an adequate level of protection, the transfer may be done only when appropriate safeguards specified in the GDPR are put in place. Of these, SCCs are probably the most common tool chosen in practice to legitimise cross-border transfers.
Companies will need to begin the process of updating and amending existing agreements to incorporate the new SCCs and, where appropriate, implement new operational and legal measures. These include identifying alternatives which would not require further transfer of the personal data outside the EEA and developing and maintaining appropriate documentation, in order to achieve compliance.
It is advisable to review these SCCs and the legal provisions regularly, as they are updated periodically.