“Data Transfers” is the sixth in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the icon which will highlight specific information regarding potential impact to First Advantage screening processes.
Under the GDPR, transferring data outside of the EU/EEA is generally not permitted unless the transferring organisation and the recipient organisation ensure that such transfer is adequately protected. Your organisation, as a Data Controller, and First Advantage as a Data Processor, may be required to take contractual steps to make sure that data transfers are properly addressed.
The GDPR covers data transfers in Articles 44-50, and generally sets forth four different ways that a data transfer may be deemed ‘adequately protected’ with a fifth category of derogations or exceptions to the primary rules:
STANDARD CONTRACTUAL CLAUSES
BINDING CORPORATE RULES
CODES OF CONDUCT AND CERTIFICATION MECHANISMS
These so-called Adequacy Mechanisms are not mutually exclusive. It is possible to have more than one adequacy mechanism in place for a single data transfer.
(1) Adequacy Decisions – The European Commission is an EU institution responsible for proposing legislation, implementing decisions, uploading EU treaties and managing the EU’s day to day business. The European Commission has the power under Article 45 of the GDPR to determine whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or as a result of the international commitments it has entered into. The effect of such a decision is that EU personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. As of the date of writing, adequacy discussions are underway with South Korea.
Which countries have been deemed adequate?
- Canada (commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
- United States (limited to Privacy Shield certified organisations only)
First Advantage stores non-U.S. data in its data center located in Amsterdam. In addition, we have affiliated operational entities in Canada, Japan, New Zealand and the United States. First Advantage’s U.S. organisations have maintained Privacy Shield certification both for the EU and Switzerland since the programs’ inception in 2016 and 2017, respectively.
(2) Standard Contractual Clauses – Standard Contractual Clauses (“SCCs”), also known as ‘Model Clauses,’ are contracts that offer additional adequate safeguards with respect to data protection that are needed in case of a transfer of personal data to any third country. Three sets of approved SCCs exist which are available on the EU Commission’s website. These contracts may not be modified and must be signed as provided. However, they may be included as part of a broader agreement and other clauses may be added as long as they don’t contradict the SCCs. This is a “ready to use” instrument. SCCs are covered in the GDPR Article 46.
First Advantage utilises SCCs in various situations with suppliers, affiliates and clients. The use of SCCs and their interplay with associated services or data protection agreements can be complex and fact specific. Always consult with your legal counsel when determining if SCCs are required.
(3) Binding Corporate Rules – Referred to as “BCRs” and covered in Article 47 of the GDPR. BCRs are personal data protection policies which are followed by a group of companies (e.g. multinational corporate groups) in order to provide appropriate safeguards for transfers of personal data within the group, including outside the EEA. Generally BCRs are implemented amongst Data Controllers/joint controllers within the same corporate group; processor organisations may also use BCRs amongst their group processor organisations. BCRs must be approved by the competent national supervisory authority, a process which can take months or even years.
(4) Codes of Conduct or Certification Mechanisms – A Code of Conduct or a Certification Mechanism can offer appropriate safeguards for transfers of personal data where they include binding and enforceable commitments by the organisation in the third country for the benefit of the individuals. These are relatively new tools under the GDPR and the European Data Protection Board (EDPB – the organisation which has replaced the Article 29 Working Party) is working on guidance to further explain how to properly use these tools and when. These concepts are covered in detail in the GDPR under Articles 40, 42 and 46(2).
(5) Derogations – It’s important to note that some less common derogations exist under Article 49 which can be viewed as exceptions to the rules identified in items 1-4. These derogations must be interpreted very restrictively and only for occasional and non-repetitive processing activities. Examples of these derogations include: (a) situations in which the data subject has explicitly consented to the transfer after having been informed about the risks of transfer; and (b) if the data transfer is necessary for important reasons of public interest.
About First Advantage
First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, the United Kingdom, Asia and the Middle East.
Information Content Notice
Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorised to provide your organisation with legal advice because First Advantage is not a law firm.
The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.
Please share this document with legal counsel familiar with your organisation and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organisation’s preparation for GDPR compliance.
Current as of June 2020
© 2020 First Advantage Corporation