European Union: First Official Guidance On International Data Transfers Post Schrems II – German Data Protection Authority Publishes Checklist And Action Items On International Data Transfers

(a) Identify cases in which personal data is transferred to third countries (including e.g. private and governmental remote access);

(b) Contact service providers and contractual partners in third countries and inform them about the CJEU's judgement and its implications;

(c) Assess and update privacy notices if required, particularly provide information on international data transfers, such as the transfer mechanisms that are relied upon (Art. 13(1) lit. f) GDPR);

(d) Assess and amend records of processing activities if required;

(e) Request data processors that transfer personal data based on the Privacy Shield Framework to the US, to immediately stop such transfer until the service provider (or sub-processor deployed) ensures a level of data protection that corresponds to that within the EU;

(f) Assess the legal situation in the third country (privacy laws, governmental access requests, data subject rights, legal remedies, etc.) and also whether there is an adequacy decision for that third country (Art. 45 GDPR);

(g) Rethink the transfer to the third country and assess whether the transfer can be avoided, e.g. by the use of service providers that do not require a transfer of personal data to third countries or encryption of personal data without providing the key to any other party;

(h) Assess whether the SCCs can be relied upon for the respective third country and if so, whether additional safeguards are required, e.g. amendment of SCCs (see below) or technical measures such as encryption or anonymization);

(i) Assess whether Binding Corporate Rules (BCRs) can be relied upon (Art. 47 GDPR) and if so, whether additional safeguards are required;

(j) Assess whether - as ultima ratio - any of the derogations for special cases can be relied upon, e.g. for intra-group data transfers (Art. 49 GDPR);

(k) Assess whether each assessment and subsequent steps are sufficiently documented and can be proven to authorities (Art. 5(2) GDPR).

(a) include an obligation for the data importer to inform the data subjects about transfers of personal data to a third country;

(b) include an obligation for the data importer to inform not only the data exporter but – as far as known – also the data subjects about any legally binding requests for disclosure of personal data made by an enforcement authority; if the latter notification is prohibited, e.g. under criminal law, the data importer must be obliged to inform the data exporter who should contact the local data protection authority to assess how to proceed; in such cases, the data importer shall be obliged to frequently provide general information on requests of disclosure by authorities (at least number of requests, type of requested data, authority) to the data exporter;

(c) include an obligation for the data importer to take any legal action available against such requests for disclosure and refrain from disclosing any personal data, until a competent court (last instance) has confirmed the request;

(d) include an obligation for the data importer to inform the data subjects of any engagement of sub-processors;

(e) include an obligation of the data importer to indemnify the data subject, regardless of any fault, from all damage of the data subject, caused by access to the personal data by authorities of the data importers state;

(f) include indemnification clause, to cover liability of possible damages caused my non-compliance by the data importer with its obligations.