Data Transfer Rules
The European privacy landscape is constantly changing to adapt to the fast-paced digital transformation and its implications on the way personal data is processed. As a provider of the subscription and recurring billing management platform (“Platform”) and related services, AppXite recognizes the growing needs and expectations of our partners to have state-of-the-art technology whilst remaining confident that their data is processed in compliance with the data protection law.
AppXite is committed to helping our partners to comply with the General Data Protection Regulation (“GDPR”) by updating our security & compliance program based on the CJEU case law, EDPB recommendations and guidelines of the local data protection authorities.
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a judgement (“Schrems II Judgement”) invalidating the European Commission’s Privacy Shield Decision due to invasive US surveillance programmes. As a result, companies are no longer permitted to rely on the Privacy Shield as a valid mechanism to transfer personal data from the EEA to the United States.
At the same time, CJEU confirmed the validity of the Standard Contractual Clauses (“SCC”) as a valid transfer mechanism to third countries under Article 46 of the GDPR for as long as data exporters ensure that the data subject benefit from the level of protection which is essentially equivalent to that guaranteed in the EEA. Following the Schrems II Judgement, the European Data Protection Board (“EDPB”) issued the Recommendations 01/2020 describing the six-step assessment to determine whether the selected transfer tools ensure the EU equivalent level of protection of personal data.
In this article, you can learn about how AppXite has implemented the EDPB recommendations following the Schrems II judgement, and by doing helping our partners to comply with the GDPR.
AppXite as data exporter has performed the Transfer Impact Assessments by virtue of which AppXite has mapped all of its third-country transfers, analysed the local privacy laws pertaining to SSC guarantees and verified the application of the supplementary measures to match EEA level of protection of personal data transferred to third countries. The Transfer Impact Assessment consists of the following six steps:
Step No.1 – Know Your Transfers
Record and map all third-country data transfers and verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
Even before the EDPB Recommendations AppXite maintained the detailed inventory of third-country transfers to validate that:
- Data transferred to a third country is strictly limited to what is necessary to meeting partner requirements (“data minimization”);
- All transfers are supported by the proper transfer tool;
- Information on third-country transfers is reflected in the Data Processing Agreement.
AppXite makes the information on processing locations available in the Data Processing Agreement. Data Processing Agreement lists all AppXite sub-processors that it engages to provide processing activities in relation to customer data on behalf of AppXite.
Step No.2 – Identify the Transfer Tool
Verify the transfer tool on which the transfer relies (e.g. Adequacy decision, SCC, binding corporate rules).
The Schrems II judgment reinforced the validity of the SCC as a valid transfer tool for as long as the data controllers and processors ensure the essentially equivalent level of protection of personal data to that guaranteed in the EEA.
All data exported by AppXite to any third country which are not under the Adequacy Decision are supported by the SCC’s as a transfer tool.
Following the Schrems II judgment, on 4 June 2021 EU Commission has published two new sets of SCC, one being used between controllers and processors (EC Decision 2021/915) and one for the transfer of personal data to third countries (EC Decision 2021/914).AppXite Data Processing Agreement has been re-worked according to the new controller-processor SCC and supplemented with SCC for the third-country transfers.
The old SCC was based on the Directive 95/46/EC which was later replaced by the GDPR. Thus, the new SCCs were updated to address the GDPR principles, recent case law developments, and challenges of the digital market.
Here are some of the key changes associated with the new SCC’s:
- Increased flexibility to cover a broad range of transfer scenarios, complex processing chains, and multi-party processing;
- Increased data management capabilities of data exporters and tools to comply with the EDPB recommendations, including the examples of possible “supplementary measures”;
- More explicit requirements for data importers associated with warranties, notification, and recordkeeping requirements, expanded security, and data breach requirements.
Starting from 27 September 2021, AppXite has incorporated the new SCC into its Data Processing Agreement to cover both existing and new transfers of partner data. For the existing transfers carried out between AppXite and its sub-processors, AppXite is committed to apply the new SCC’s prior to the end of the transition period on 27th of December 2022.
Step 3 – Assess Data Importer Laws.
Assess the laws or practices of the third countries that may impinge on the effectiveness of the appropriate safeguards of the transfer tool, including by using Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.
An integral part of the Transfer Impact Assessment is to verify, on a case-to-case basis if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the SCC. As a general policy, AppXite localizes the storage of partners in EEA, however, for services that require processing to take place outside EEA AppXite has identified and applied supplementary measures which include technical, organizational, and contractual measures to ensure the enforceability of SCC and its related safeguards. According to the EDPB recommendations, such supplementary measures must be applied based on the circumstances of the transfer, in particular:
- Purposes for which the data are transferred and processed;
- Types of entities involved in the processing
- Sector in which the transfer occurs
- Categories of personal data transferred
- Whether the data will be stored in the third country or whether there is only remote access to data stored within the EU/EEA;
- Format of the data to be transferred;
- Possibility that the data may be subject to onward transfers from the third country to another third country.
Step 4 - Adopt Supplementary Measures.
If the data exporter’s assessment is that the use of the transfer tool alone would not provide an essentially equivalent level of protection, identify the supplemental contractual, technical or organizational measures that are necessary to bring the level of protection of the data transferred up to the EEA standard of essential equivalence.
Step 5 – Procedural Steps. Take the procedural steps to adopt the supplementary measures based on your transfer tools.
Step 6 - Re-evaluate, at appropriate intervals, the level of protection afforded to the data that the data exporter transfers to third countries, and monitor if there have been or there will be any developments that may affect it.
AppXite makes its commitment in relation to applicable technical, organizational, and contractual measures implemented to safeguard the data as a part of its DPA. With respect to the use of sub-contractors, the same measures listed below are reflected in our own DPA’s between AppXite and the related sub-processors.
The technical, organizational, and contractual measures applied by AppXite and/or its sub-processors with respect to the partner data include but are not limited to:
- Secure Hosting Infrastructure (backup, failovers, business continuity);
- Networks & Transmission (encryption SSL, Firewall, TLS, HTTPS encryption, DOS protection)
- Security Policies and Procedures (Incident process, notification, data subjects request handling process);
- Access controls;
- Physical Security & Environmental Controls;
- Code Review;
- Sub-processor Management (sub-processor security vetting, entering into DPA’s which contain equivalent obligations as those outlined in a DPA between AppXite and a Partner, sub-processor obligation to challenge government requests, sub-processor obligations to inform AppXite on the legislative changes that may impact partner data);
- Personnel Management & Dedicated Security Team;
- Make third-party certification and audit reports available so partners can verify AppXite compliance with best privacy & security practices.
For more information on the measures implemented to supplement data transfers please read Security and Compliance Whitepaper.
All transfers will be re-evaluated on the annual basis to ensure that an adequate level of protection is maintained. In the event that there are new developments that may affect the effectiveness of the SCC, AppXite in cooperation with a data importer will determine the required supplementary measures to support the transfer or suspend such transfer in general.