actions to fulfil the obligations to inform data subjects under Articles 13.1.f and 14.1.f GPDR about your transfers of their personal data to third countries may also assist you.25 10. When mapping transfers, do not forget to also take into account onward transfers, for instance whether your processors outside the EEA transfer the personal data you entrusted to them to a sub-processor in another third country or in the same third country.26 11. In line with the GDPR principle of “data minimisation”,27 you must verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. 12. These activities must be carried out before any transfer is made and updated prior to resuming transfers after suspension of data transfer operations: you must know where the personal data you exported may be located or processed by the importers (map of destinations). 13. Keep in mind that remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA offered by a service provider, is also considered to be a transfer.28 More specifically, if you are using an international cloud infrastructure you must assess if your data will be transferred to third countries and where, unless the cloud provider is established in the EEA and it clearly states in its contract that the data will not be processed at all in third countries.
Step 2: Identify the transfer tools you are relying on 14. A second step you must take is to identify the transfer tools you are relying on amongst those Chapter V GDPR lists and envisages. Adequacy decisions 15. The European Commission may recognise through its adequacy decisions relating to some or all of the third countries to which you are transferring personal data that they offer an adequate level of protection for personal data.29
25
Under GDPR transparency rules, you must inform data subjects about transfers of personal data to third countries (Articles 13.1.f and 14.1.f GDPR). In particular, you must inform them of the existence or absence of an adequacy decision by the European Commission, or in the case of transfers referred to in Articles 46 or 47 GDPR, or the second subparagraph of Article 49.1 GDPR, refer to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available. The information provided to the data subject must be correct and current, especially in light of the Court’s case law concerning transfers. 26 Where the controller has granted its prior specific or general written authorisation in accordance with Article 28.2 GDPR. 27 Article 5.1.c GDPR. 28 See FAQ nr. 11 “it should be borne in mind that even providing access to data from a third country, for instance for administration purposes, also amounts to a transfer”, EDPB Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, 23 July 2020. 29 The European Commission has the power to determine, on the basis of Article 45 GDPR whether a country outside the EU offers an adequate level of data protection. Likewise the European Commission has the power to determine that an international organisation offers an adequate level of protection.
Adopted
11
