One does not simply transfer personal data outside the European Economic Area …

EUROPEAN COMMISSION ADOPTS NEW STANDARD CONTRACTUAL CLAUSES FOR THE TRANSFER OF PERSONNAL DATA TO THIRD COUNTRIES

You have a contract with a client or a subcontractor located outside the European Economic Area (EEA) which requires you to transfer them personal data (or in another way make data available to them outside the EEA)? 

Your company itself has subsidiaries located outside the EEA or is a daughter company of a company located outside the EEA?

You might want to check that you comply with the provisions of the GDPR regarding the transfer of personal data to third countries (art. 44 and following).

One of the tools that can be used to comply with these rules is the adoption of so-called “Standard Contractual Clauses” (hereafter SCCs), of which a brand-new set has just been adopted.

The key dates surrounding this new set of rules

On June 4, 2021, the European Commission has adopted the new set of Standard Contractual Clauses (after a joint opinion of the EDPB and the EDPS in January 2021).

These rules will come into effect on June 27, 2021

The transitional period is as follow:

  • The ‘old’ SCCs can continue to be used for new contracts for a transitional period of 3 months, ie until September 27, 2021;
  • For existing contracts, the transitional period is of 18 months, meaning you will have to make the transition at the latest on December 27, 2022;
  • However, for new data transfers occurring after September 27, 2021, ie if the operation of transfer of data occurring under a contract subject to the old SCCs changes, the transition to the new rules will have to be made at the latest at the time the new transfer occurs.

The aftermath of Schrems II – Risk assessment and warranties

The Commission’s response to Schrems II Decision of the Court of Justice of the EU and the consecutive European Data Protection Board’s draft Recommendations, consists in requiring the parties to “warrant that they have no reason to believe that the [laws of the territory of the data importer] prevent the data importer from fulfilling its obligations under these Clauses”(Clause 14).

This is not a warranty that may easily be granted by the parties, as the SCCs further require the parties to carry out a real and thorough risk assessment taking into account the specific circumstances of the transfer (storage location, number of actors concerned, type of processing and type of recipient, etc.), the laws and practices of the third country of destination (in particular of those requiring disclosure of data to public authorities), and of the relevant contractual, technical and organisational safeguards that can be applied to mitigate the risks identified. 

One last striking feature is that this assessment must be documented and made available to the competent authorities upon request.

One set to rule them all – Modular approach

One the features of these new clauses, is that there is only one set of rules with different modules to apply on different situations – transfer controller to controller, controller to processor, etc. – depending on the transfer that takes place (instead of a different set of rules for each situation).

Another new feature in that regard, is that situation of transfer from a processor inside the EEA to a controller or processor located outside the EEA is now covered, so this set covers in fact all possible configurations.

Multipartite and docking clauses

The new SSCs also allow for multiple parties to contract together under the SCCs (as opposed to the old SCCs which only were designed as bipartite agreements), and even allow for new parties to join-in over time (under clause 7 – the ‘docking’ clause).

Conclusion

There are still other features of these new clauses to be examined, such as a new hierarchy clause (meaning for example that the liability clause of the SCCs may prevail over a contractual one). 

What is certain is that these new “standard”contractual clauses are certainly not a simple form that you can sign to be compliant but require a thorough analysis of the transfer of data to implement.

Please do not hesitate to contact us should you require further information, advice and/or assistance on the issues discussed in this note, or any other data protection and privacy-related matter.

GDPR / Data privacy: What to do with mailboxes of departing personnel?

An employee, manager, director or even a consultant with a company mailbox is leaving the company. How to handle their mailbox? 

A decision of the Belgian DPA (Decision 64/2020 of September 29, 2020) sanctioned an inadequate handling of the matter and provided guidance for future cases. The following questions are concerned:

  • Can the company use, or even read, the emails of the departing staff member?
  • Should the company forward emails or display an automated reply? If so, for how long?
  • Does the leaving staff member have a right to collect or delete personal emails?

The decision

Facts

The case referred to the Litigation Chamber concerned the departure of the CEO of a formerly family-owned company (upon immediate dismissal). 

A certain number of email addresses of the former CEO and other family members formerly working for the company were still used by the company (long) after their departures. Those emails addresses were personal to those persons and used their first names either alone or in combination with their family names (firstname@companyname.be or firstname.familyname@companyname.be).

The former CEO also claims and proves that an employee of the company accessed his old mailbox.

During the inspection leading to this decision, the company also acknowledged having created a redirection of those email addresses with the goal of not losing important emails (having regard to the key positions formerly held by the concerned persons, such as Quality Manager and Director).

Ruling of the Litigation Chamber

  • Mailboxes should have been closed 

The email addresses were created in a professional setting for the purpose of allowing their holders to send and receive emails in the framework of their activity for the company. The Belgian DPA states that these addresses should have been closed at the latest on the day of effective departure of the staff member from the company.

  • Access to the complainant’s mailbox

Although it may be legitimate for the company to access the mailbox and keep copies of some emails from the departing personnel, such access can only occur with the holder present.

The Litigation chamber found violations of GDPR Article 5.1 b) purpose limitation in combination with Articles 5.1 c) data minimization and e) storage limitation, Article 6 lawfulness of processing and Article 17.1 a) right to erasure. The company was imposed a 15.000,00 EUR fine (in consideration of its limited size – 13 people working for the company).

What should you do?

Immediately

  • Adapt your IT / Privacy policy

Clear processes on how the mailbox and its content are handled upon departure should be defined and made known to all personnel. According to this decision, these processes should, at least, address the elements described below.

Prior to the departure

  • Collection of personal items / sorting out the mailbox

The Belgian DPA states that, just as a staff member must be allowed to retrieve their personal belongings, they must be allowed to collect and/or delete personal electronic communications before leaving. If the employer needs to recover elements from the leaving staff member’s account for organization business reasons, then that should be done before their departure and in their presence. In delicate and conflictuous situations, the presence of a person of confidence is recommended.

In this regard, the European Data Protection Board advises, during the whole collaboration, “to ensure that relevant correspondence is stored in places that are accessible to those persons who need it such as case management systems, case files or provided in handover notes” (an advise also valid to avoid problems in cases of long term absence of a staff member).

  • Closing of the mailbox and information thereof

The company must inform the departing staff member in advance that the mailbox will be closed and, after an appropriate period of time, deleted. The closing (making it unavailable) must occur at the latest on the day of effective departure of the staff member in question.

  • Automatic reply

Prior to closing the mailbox, an automatic response must be activated that informs senders:

  • that the concerned person has ceased to work at/for the company; and
  • of relevant other contact information (person to be contacted instead or a general company email address).

Upon and after the departure

  • After a certain period, deletion of the mailbox

The automatic response must remain active for an appropriate period of time (in principle 1 month). This period may be extended, depending on the context and on the degree of responsibility of the concerned person (but should not exceed 3 months in any case). It is warranted that this extension should occur with the person’s agreement or, at least, knowledge. After this period, the mailbox must be deleted, not kept.

Email forward: explicitly discouraged

A common practice is to forward the emails sent to the departing person to their former colleagues for a certain period. While this may meet legitimate purposes (i.e. allowing a smooth transition), the DPA disapproves of this method because there is no possibility of control on entering emails, and personal information of a potentially sensitive nature may be given without the consent not only of the departing person but also of the sender of the email (this is especially true if the is no automatic response).

Conclusion

This decision provides useful guidelines and insights for companies with regard to the handling of mailboxes (some of which were already given in Recommendation CM/Rec (2015)5 of the Committee of Ministers to member States of the Council of Europe on the processing of personal data in the context of employment). 

One big takeaway is already that these guidelines apply to the handling of mailboxes of all data subjects, and not only to those working within the confines of an employment agreement.

Furthermore, it is important to note that the decision does not, however, go so far as to create an obligation for the concerned company to communicate the departing staff member’s new contact details (e.g. in an automatic response). This hence remains open for the parties to agree upon, and it is therefore all the more recommended that the company draft clear guidelines in that regard in its IT policy, which would be accepted at the start of the relationship.

Indeed, as the decision is very clear regarding the need for adequate internal policies with regard to mailboxes and their handling within the company, it is now more important than ever to create/update such policies and have them accepted in due form.

Please do not hesitate to contact us should you require further information, advice and/or assistance on the issues discussed in this note, or on any other matter in our expertise areas.