2. 2
2
Thank You for Joining “The Intersection of Healthcare Data & Privacy:
How to Navigate the New Challenges”
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers
5. 5
5
Adequacy Decisions
United Kingdom & South Korea
28 June 2021
GDPR Adequacy Decision
LED Adequacy Decision
16 June 2021
Draft GDPR Adequacy Decision
Images courtesy of the European Commission @EU_Justice
6. 6
6
Standard Contractual Clauses
● DPAs focus so far on data transfers to the United States and China based on SCCs. The
main checks seem to be:
○ What kind of personal data is transferred to a third country, with a focus on
special categories of personal data;
○ If a data transfer risk assessment has been completed; and
○ If, when using a contractual safeguard, supplementary measures have been
considered and put in place.
● Other forms of enforcement action cannot be ruled
out. Investigations may be ongoing without having
been announced.
Observations on Enforcement to Date
8. 8
8
New Standard Contractual Clauses
Section I
● Clause 1 - Purpose and scope
● Clause 2 – Effect and invariability of the Clauses
● Clause 3 – Third-party beneficiaries
● Clause 4 - Interpretation
● Clause 5 - Hierarchy
● Clause 6 - Description of the Transfer
● Clause 7 - Docking Clause
Section II - Obligations of the Parties
● Clause 8 - Data Protection Safeguards
○ Module 1: C-C
○ Module 2: C-P
○ Module 3: P-P
○ Module 4: P-C
● Clause 9 – Use of sub-processors
● Clause 10 – Data subject rights
● Clause 11 – Redress
● Clause 12 - Liability
● Clause 13 - Supervision
9. 9
9
New Standard Contractual Clauses
Section III – Local laws and obligations in case of access
by public authorities
● Clause 14 - Local Laws Affecting Compliance
with the Clauses
● Clause 15 – Obligations of the importer in case of
access by public authorities
Section IV - Final Provisions
● Clause 16 - Non-compliance
● Clause 17 - Governing Law
● Clause 18 - Choice of Forum and Jurisdiction
●
Appendix
Annex I
A. List of Parties
B. Description of Transfer
C. Competent Supervisory Authority
Annex II - Technical and Organisational Measures
Annex III - List of Sub-processors
10. 10
10
New Standard Contractual Clauses
Scope of application
Art. 3(2) GDPR applicable
Offering goods/services
Monitoring behaviour
↓
Full GDPR applies
(Includes art. 32 - Security)
Art. 3(2) GDPR applicable
Offering goods/services
Monitoring behaviour
↓
No transfer options but
adequacy
No direct GDPR application
↓
Chapter V GDPR applies
Transfer Mechanism needed
(§7) The standard contractual clauses may be used for such transfers only to the extent that the
processing by the importer does not fall within the scope of [the GDPR]. This also includes the
transfer of personal data by a controller or processor not established in the Union, to the extent that
the processing is subject to [the GDPR] (pursuant to Article 3(2) thereof), because it relates to the
offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as
it takes place within the Union.
11. 11
11
New Standard Contractual Clauses
Of note:
● Scope of application of the SCCs
○ If the GDPR applies by virtue of Article 3(2) GDPR, SCCs cannot be used
○ SCCs may still be required for onward transfers to processors of the data importer
● Commission maintains the risk-based approach that was previously rejected by the
EDPS and EDPB
○ E.g. clause 14(b) under i and iii – For the third country risk assessment, parties will among other things
need to take into account the “format” of the data transferred, as well as “contractual, technical or
organisational safeguards (…) including during transmission”.
● Strong focus on accountability – numerous documentation requirements, including on
the data importer
○ Recital 17 Decision - The parties should be able to demonstrate compliance with the standard contractual
clauses.
○ Clause 14(d) – Document the third country risk assessment
12. 12
12
New Standard Contractual Clauses
27 June 2021
The new SCCs entered into
force and can be used
Until 27 September 2021
The old SCCs may still be
used in new contracts
27 December 2022
The old SCCs will lose their
validity - contracts need
to be updated.
13. 13
13
Data Transfers Risk Assessments
Know your transfers
Reassess all data processing
operations on a
case-by-case basis
Identify the transfer tools
you are relying on
“Appropriate Safeguards”?
Choose your instrument and
complete third country
analysis
1 2 3
Adopt Supplementary
Measures
Obtain DPA Approval
If the transfer mechanism
requires you to do so
BCRs, ad hoc clauses, etc.
Review and Update
Like all accountability
measures, regular reviews
and updates are needed
4 5 6
Assess the legislation in, and international commitments of, the third country where the data are flowing to
14. 14
14
Data Transfers Risk Assessments
The European Data Protection Board has identified 3 options in case third country legislation is
“problematic”:
1. The data transfer is suspended, in order to guarantee that the level of protection offered by the
GDPR is not undermined.
2. The data transfer is continued, but only on the basis of supplementary measures that are agreed
by the partners involved in the processing operation.
3. The data transfer is continued without putting in place any supplementary measures, because the
data exporter considers there is no real risk the negative impact of the problematic legislation will
actually occur.
Option 3 requires proper documentation and sign off from the legal representative of the data
exporter.
Supplementary Measures or Not?
15. 15
15
Data Transfers Risk Assessments
Technical
● Strong Encryption
● Pseudonymisation
● Protected Recipient (e.g.
with professional secrecy)
● Split processing (no one
has access to full dataset)
● Data minimisation
Which Supplementary Measures
Contractual
● Obligation to use certain
technical safeguards
● Transparency obligations
○ Applicable Laws
○ Receipt of requests
○ Use of backdoors
● Commitment to take
action
○ Challenge requests
● On their own likely
insufficient
Organisational
● Accountability measures
● Policies and procedures to
comply with technical and
contractual safeguards
● Adoption of standards
○ ISO
○ NIST
○ ENISA
● On their own likely
insufficient
● Effectiveness of supplementary measures depends on the data transfer, including format and nature of the data,
complexity of the data flow and possible onward transfers
● The EDPB has not identified any effective supplementary measures for transfers to cloud service providers or
other processors which require access to data in the clear, or transfers by way of remote access.
19. 19
19
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.