Step 3: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer 28. The selected Article 46 GDPR transfer tool must be effective in ensuring that the level of protection guaranteed by the GDPR is not undermined by the transfer in practice.38 29. In particular, the protection afforded to the transferred personal data in the third country must be essentially equivalent to that guaranteed in the EEA by the GDPR, read in light of the Charter of Fundamental Rights of the EU.39 This is not the case if the data importer is prevented from complying with its obligations under the chosen Article 46 GDPR transfer tool due to the third country’s legislation and practices applicable to the transfer, including during the transit of data from the exporter to the importer’s country.40 30. You must first assess, where appropriate in collaboration with the importer, if there is anything in the law and/or practices in force41 in the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on, in the context of your specific transfer. This implies determining whether your transfer falls within the scope of legislation and/or practices which may impinge on the effectiveness of your Article 46 GDPR transfer tool. The assessment required must be based first and foremost on legislation publicly available. 31. This assessment must contain elements concerning access to data by public authorities of the third country of your importer such as: - Elements on whether public authorities of the third country of your importer may seek to access the data with or without the data importer’s knowledge, in light of legislation, practice and reported precedents; - Elements on whether public authorities of the third country of your importer may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents.
Identifying laws and practices relevant in light of all circumstances of the transfer 32. You will need to look into the characteristics of each of your transfers and determine whether the domestic legal order and/or practices in force of the country to which data is transferred (or onward transferred) affect your transfers. The scope of your assessment is thus limited to the legislation and practices relevant to the protection of the specific data you transfer, in contrast with the general and wide encompassing adequacy assessments the European Commission carries out in accordance with Article 45 GDPR.
38
Article 44 GDPR and paragraphs 126, 137 and 148 of C-311/18 (Schrems II). C-311/18 (Schrems II), paragraphs 105 and second finding. 40 See C-311/18 (Schrems II), paragraph 183 in conjunction with paragraph 184. 41 See paragraph 126 of the C-311/18 (Schrems II) Judgment in which the Court explicitly alludes to “the law and practices in force in the third country concerned” and requires “(...) ensuring, in practice, the effective protection of personal data transferred to the third country concerned.” (emphasis added), and paragraph 158. 39
Adopted
14
