After the Privacy Shield was suspended Mayotte Email Lists last July, companies had to review the way they transfer their users’ personal data outside of Europe, while respecting the regulations in force. To answer the questions of the thousands of companies concerned, the European Data Protection Board (EDPB) has published a 38-page guide, which contains a roadmap with a series of 6 recommendations to follow. They are aimed in particular at data controllers and processors, who act as data exporters. The objective: to support them in their duty to identify and implement the measures to be taken to guarantee the protection of personal data when it is transferred outside the European Economic Area.The EDPB is well aware of the impact of the Schrems II judgment on thousands of EU companies and of the heavy responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters identify and implement effective complementary measures where they are needed.
Our aim is to enable lawful transfers of personal data to third countries while ensuring that the transferred data enjoys a level of protection essentially equivalent to that guaranteed in the EEA, said Andrea Jelinek, President of the EDPB . As data exporters, companies are responsible for evaluating the context in which their transfer to a third country is carried out, knowing the legislation in force in the country of destination, as well as the tools used to carry out this operation.
With this first recommendation, the European committee advises companies to identify all transfers of personal data to countries outside the EEA. They must ensure that the jurisdictions of the countries to which the data is sent comply with the standards of the GDPR to ensure that it enjoys a sufficient level of protection.
Identify international data transfers
The transferred data must be ” adequate, relevant and limited to what is necessary with regard to the purposes for which they are transferred and processed in the third country “, specifies the authority. Once the personal data flows have been identified, the EDPB asks companies to ensure that the transfer tools on which they rely comply with the provisions of the GDPR relating to international transfers. These transfer mechanisms include:The legislation in force in the country of the importer of this data, located outside the EEA, must be assessed to ensure that it will not infringe on the guarantees related to the transfer tools. This step must take into account the nature, quantity and types of personal data, the context of their transfer as well as the purpose of the processing carried out by the recipient company.This 4th recommendation of the EDPB practical guide takes into account the case where the exporting company finds that the legislation applying to the data importer could have an impact on the efficiency of the transfer mechanisms.
To guarantee a level equivalent to the European standard on the protection of personal data, it is recommended to adopt additional technical, contractual and organizational measures:technical measures , such as encryption, pseudonymization or split processing,contractual measures , such as the obligation of transparency, or the provision according to which the data can only be consulted with the consent of the exporter or the data subject, organizational measures , namely internal transfer governance policies, the regular publication of transparency reports, the adoption of data access and confidentiality policies, or the involvement of the data protection officer in all issues related to their transfer.
Evaluate the legislation of the third country
According to the EDPB, all procedural measures that may be necessary for companies, in order to provide an appropriate level of protection during the transfer of data, must be taken by companies. This may be the establishment of adequate safeguard procedures or the consultation of a competent European data protection authority. These procedural steps can be integrated into company policy.In this last recommendation, the European committee insists on monitoring the measures taken and their application, as well as their reassessment if necessary, with the aim of ensuring a level of compliance with European regulations on an ongoing basis.You must monitor, at all times, and where appropriate in collaboration with data importers, developments in the third country to which you have transferred personal data, which could affect your initial assessment of the level of protection and the decisions you have made.
could take accordingly on your transfers, specifies the EDPB.To drive conversion, we need an up-to-date feed that allows us to show the right information to the targeted Facebook or Instagram user. Flow management to have this information available is impossible to manage manually, so we have to go through Channable to configure our product flows. This allows us for example to have the price of products automatically updated on our ads. If the price of certain products is for example on promotion, we do not have to do any manual intervention.NH: One of the main advantages is the enormous time savings. If we are looking to implement fixes on our source feed (our product catalog), it takes time internally. Being able to modify the flow, modify fields, or delete certain data from Chanable is extremely advantageous. It is obviously difficult to quantify the time saved, but Channable avoids us going back and forth with our technical services.
