This document summarizes a webinar on international data transfers. It discusses recent EU data transfer enforcement actions against a Norwegian toll road operator and Hamburg public authorities for transferring personal data to China and the US without proper safeguards. It also provides an overview of the EU's standard contractual clauses and transfer risk assessment requirements, as well as the UK's international data transfer agreements and risk assessment process. Finally, it briefly mentions other international data transfer mechanisms and opens the floor for questions.

1. 1
1
© 2021 TrustArc Inc. Proprietary and Confidential Information.
International Data Transfer Update
18 August 2021

2. 2
2
Thank You for Joining “International Data Transfer Update”
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers

3. 3
3
Speaker
Paul Breitbarth
Director, EU Policy & Strategy
TrustArc

4. 4
4
Agenda
● EU Data Transfer Enforcement Update
● EU Standard Contractual Clauses and Transfer Risk Assessment (reminder)
● UK International Data Transfer Agreements and Transfer Risk Assessment
● Other International Data Transfer Mechanisms
● Q&A

5. 5
5
EU Data Transfer
Enforcement Update

6. 6
6
EU Data Transfer Enforcement Update
● The operator transferred over 12.5 million images of license plate data to a data processor with employees in
China without having a data processing agreement in place, a basis for transferring the personal data to a
country without adequate protection (no exceptions applied to the processing), or conducting a risk assessment
to determine the risk of processing or whether further security measures are warranted
● The Norwegian DPA announced the intention to fine the company 5 mln NOK (~ €500.000) A final decision will
be made following the submission of further comments by the operator.
● Aggravating factors:
○ the volume of processing;
○ the violations constitute a breach of the basic requirements of the GDPR;
○ the duration of the infringement; and
○ negligence to transfer personal data without a processing agreement or basis for transfer to China
Norway Toll Road Operator

7. 7
7
EU Data Transfer Enforcement Update
● The Hamburg DPA issued an official warning to the Office of the Senate (Senatskanzlei) for using an on-demand
option in online communication platform Zoom, possibly for webinars or other online meetings with postponed
viewing options. Only press release available.
● The investigation showed that the Hamburg authorities have not met the threshold for EU-U.S. data transfers as
explained in the recent EDPB guidance. The DPA also criticizes the lack of cooperation of the authorities with the
investigation.
● “A data transfer to the U.S. is only possible under very strict conditions, that are not met by the planned use of
Zoom by the Hamburg authorities. The personal data of Senate staff and external partners would risk to be
subject to unwarranted government surveillance in the US, against which no redress mechanisms exist”.
● Consent or other exemptions ruled out as valid option for transfer in this situation.
● Very strict interpretation of the guidance by the Hamburg DPA.
Use of Zoom by Hamburg Public Authorities

8. 8
8
Post Schrems-II Enforcement
● DPAs focus so far on data transfers to the United States and China based on SCCs. The
main checks seem to be:
○ What kind of personal data is transferred to a third country, with a focus on
special categories of personal data;
○ If a data transfer risk assessment has been completed; and
○ If, when using a contractual safeguard, supplementary measures have been
considered and put in place.
● Other forms of enforcement action cannot be ruled
out. Investigations may be ongoing without having
been announced.
Observations on Enforcement to Date

9. 9
9
EU Standard Contractual Clauses and
Transfer Risk Assessment (reminder)

10. 10
10
EU SCCs and Transfer Risk Assessment
Section I
● Clause 1 - Purpose and scope
● Clause 2 – Effect and invariability of the Clauses
● Clause 3 – Third-party beneficiaries
● Clause 4 - Interpretation
● Clause 5 - Hierarchy
● Clause 6 - Description of the Transfer
● Clause 7 - Docking Clause
Section II - Obligations of the Parties
● Clause 8 - Data Protection Safeguards
○ Module 1: C-C
○ Module 2: C-P
○ Module 3: P-P
○ Module 4: P-C
● Clause 9 – Use of sub-processors
● Clause 10 – Data subject rights
● Clause 11 – Redress
● Clause 12 - Liability
● Clause 13 - Supervision

11. 11
11
EU SCCs and Transfer Risk Assessment
Section III – Local laws and obligations in case of access
by public authorities
● Clause 14 - Local Laws Affecting Compliance
with the Clauses
● Clause 15 – Obligations of the importer in case of
access by public authorities
Section IV - Final Provisions
● Clause 16 - Non-compliance
● Clause 17 - Governing Law
● Clause 18 - Choice of Forum and Jurisdiction
●
Appendix
Annex I
A. List of Parties
B. Description of Transfer
C. Competent Supervisory Authority
Annex II - Technical and Organisational Measures
Annex III - List of Sub-processors

12. 12
12
EU SCCs and Transfer Risk Assessment
Scope of application
Art. 3(2) GDPR applicable
Offering goods/services
Monitoring behaviour
↓
Full GDPR applies
(Includes art. 32 - Security)
Art. 3(2) GDPR applicable
Offering goods/services
Monitoring behaviour
↓
No transfer options but
adequacy
No direct GDPR application
↓
Chapter V GDPR applies
Transfer Mechanism needed
(§7) The standard contractual clauses may be used for such transfers only to the extent that the
processing by the importer does not fall within the scope of [the GDPR]. This also includes the
transfer of personal data by a controller or processor not established in the Union, to the extent that
the processing is subject to [the GDPR] (pursuant to Article 3(2) thereof), because it relates to the
offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as
it takes place within the Union.

13. 13
13
EU SCCs and Transfer Risk Assessment
27 June 2021
The new SCCs entered into
force and can be used
Until 27 September 2021
The old SCCs may still be
used in new contracts
27 December 2022
The old SCCs will lose their
validity - contracts need
to be updated.

14. 14
14
EU SCCs and Transfer Risk Assessment
Know your transfers
Reassess all data processing
operations on a
case-by-case basis
Identify the transfer tools
you are relying on
“Appropriate Safeguards”?
Assess which instrument is
most effective in light of all
circumstances of the
transfer
1 2 3
Adopt Supplementary
Measures
Obtain DPA Approval
If the transfer mechanism
requires you to do so
BCRs, ad hoc clauses, etc.
Review and Update
Like all accountability
measures, regular reviews
and updates are needed
4 5 6
Assess the legislation in, and international commitments of, the third country where the data are flowing to

15. 15
15
https://trustarc.com/international-data-transfers/

16. 16
16
Public Resources

17. 17
17
UK International Data Transfer Agreements
and Transfer Risk Assessment

18. 18
18
UK IDTA and Transfer Risk Assessment
Part I - Tables
● Table 1: Parties and signatures
● Table 2: Transfer Details
○ Governing law
○ Controller/Processor
○ Linked Agreement(s)
○ Onward Transfer Allowance
● Table 3: Transferred Data
● Table 4: Security Requirements
Part II - Extra Protection Clauses
● Technical Security Protections
● Organisational Protections
● Contractual Protections
Part III - Commercial Clauses
● Optional
Part IV - Mandatory Clauses
● Appropriate Safeguards
● Mandatory Review (at least annual)
● Exporter and Importer Obligations
● Onward Transfers
● Individual Rights
● Third Party Access (Government Access)
● Data Breaches
● Oversight & Redress
● Glossary
ICO Consultation

19. 19
19
UK IDTA and Transfer Risk Assessment
ICO Consultation
Assessing the Transfer
Is there a restricted transfer
that is not of high risk to
individuals?
Can the IDTA likely
be enforced?
If not, can additional
safeguards help?
Appropriate Protection
from 3rd Party Access?
Transfer can continue if no
or low risk of harm to
individuals.
1 2 3
The UK Transfer Risk Assessment Tool
To be used for routine transfers only. More complex
transfers require a more detailed risk assessment
Restricted Transfer: only when the UK GDPR applies to a
processing operation, and data is sent to, or accessed from,
a non-adequate country, and the importer is a separate
company or individual. A UK processor sending data back to
a non-UK controller is NOT a restricted transfer.
Low Risk of Harm: there is more than a minimal risk of the
relevant event occurring which may infringe data subject
rights and even if that relevant event does happen, the
impact on data subjects would not cause them significant
harm.

20. 20
20
UK IDTA and Transfer Risk Assessment
● ICO considering to also allow for Addenda to other approved model data transfer agreements as
“appropriate safeguard” under art. 46 UK GDPR.
○ European Union (SCCs)
○ New Zealand
○ ASEAN (Association of Southeast Asian Nations)
● Draft Addendum for use with EU SCCs part of the consultation process
○ Language of the EU SCCs is “deemed to be amended to the extent necessary” to meet the UK
requirements.
■ E.g. references to the EU are changed to the UK
○ Not required for EU-UK data transfers (because of adequacy)
● Helpful option (?) for contracts dealing with multiple global jurisdictions.
ICO Consultation
Consultation until 7 October 2021, 5pm BST

21. 21
21
Other International Data
Transfer Mechanisms

22. 22
22
Other International Data Transfer Mechanisms
● Abu Dhabi Global Market Office of Data Protection adopted SCCs on 11 August 2021
○ Based on the ADGM 2021 Data Protection Regulations
○ Align closely with recently updated EU SCCs
○ Contracts need to be updated by 14 February 2022
● Other jurisdictions which have model clauses in force include:
○ New Zealand
○ Dubai International Financial Market
○ ASEAN
● Over 100 countries have data transfer restrictions in place, but not all have (yet) developed model
clauses.

23. 23
23
Q&A

24. 24
24
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.