On July 7, 2021, the European Data Protection Board (“EDPB”) published draft guidelines on codes of conduct for personal data transfers for consultation. These guidelines complement the EDPB’s earlier guidelines on codes of conduct and monitoring bodies. Interested parties had until October 1, 2021 to respond to the consultation. On February 22, 2022, the EDPB published the final version of the guidelines.
The guidelines focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the European Economic Area (“EEA”) to third countries that do not provide an adequate level of data protection. They emphasize that such a code of conduct can be used to cover multiple transfers between companies belonging to the same sector and/or carrying out similar processing activities.
Pursuant to Articles 40(3) and 46(2)(e) GDPR, controllers or processors in the EEA (“data exporters”) can lawfully transfer personal data to controllers or processors outside the EEA (“data importers”) that adhere to an approved code of conduct. The guidelines clarify that for the transfer to be lawful, it is sufficient that the data importer adheres to the code; the data exporter does not have to adhere to the code.
A valid transfer code of conduct must impose obligations on the data importer to ensure that personal data remains “adequately protected in line with the requirements of Chapter V GDPR” when transferred outside the EEA. This entails, among other things, establishing appropriate safeguards that include (1) the essential principles and main requirements of the GDPR and (2) guarantees specific to the context of the transfer.
The guidelines provide a checklist of minimum elements that a transfer code must include, which may need to be supplemented with additional commitments and measures in certain cases, depending on the transfer scenario.
Binding Nature of the Code
The guidelines mention that codes of conduct can only serve as a legitimate transfer mechanism if the data importer has undertaken “binding and enforceable commitments” to comply with the obligations set forth by the code via contractual or other legally binding instruments. These commitments must be have a binding and enforceable nature in accordance with EU law.
According to the guidelines, taking such commitments by contract may be the most straightforward solution to satisfy this requirement. The guidelines mention the following two examples of how to establish these commitments via contract:
- inserting a clause in an existing contract signed between the data exporter and the data importer (e.g., master service agreement or Article 28 data processing agreement) requiring the data importer to commit to comply with the code of conduct; or
- creating a separate model contract which includes the data importer’s commitment to comply with the code and which the data importer (adherent to the code) must sign with the data exporter.
Among others, the contract must include the following:
- grant third-party beneficiary rights to data subjects and data exporter(s);
- grant data subjects the right to:
- bring claims/complaints directly against a data importer for violations of the code before EEA courts or the supervisory authority of the data subject’s country of habitual residence;
- bring claims/complaints indirectly against a data exporter for a data importer’s violation of the code before EEA courts and/or the supervisory authority of the data exporter’s country of establishment or the data subject’s country of habitual residence; and
- be represented by a not-for-profit body, organization or association when bringing such claims/complaints.
- require the data importer to:
- notify the data exporter and supervisory authority of the data exporter about any “detected violation” of the code and any corrective measures taken by the monitoring body in response to that violation; and
- warrant that, at the time of acknowledging its adherence to the code, it has no reason to believe that the laws applicable to the processing of personal data in the third country of transfer prevent it from fulfilling its obligations under the code, and to implement (where necessary and in coordination with the data exporter) supplementary measures to ensure the required level of protection under EEA law.
The guidelines also outline the adoption process for a transfer code of conduct. In summary, parties submitting a code for approval must obtain: (1) a draft decision from the competent supervisory authority approving the code; (2) a favorable opinion from the EDPB; and (3) an implementing decision by the European Commission giving general validity to the code.
The guidelines clarify that the body responsible for monitoring data importers’ compliance with the code can be an entity located outside the EEA, provided it has an establishment in the EEA.
The guidelines appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework, as well as a response to some industry initiatives to create codes of conduct for transfers (e.g., the EU Cloud COC’s initiative to expand the scope of their code to transfers, as discussed here). The approval of codes of conduct for transfers would broaden the spectrum of tools available to lawfully transfer personal data outside the EEA, which currently is limited to (1) standard contractual clauses; (2) binding corporate rules (for intra-company transfers); or (3) derogations under Article 49 GDPR.
The EDPB announced that it will provide further guidance to clarify the application of the minimum elements of a transfer code. The team at Covington will continue to monitor developments in this space.