Onward Transfers of Personal Data under the GDPR
What are the GDPR rules governing the transfer of personal data to a third-country?
Under the General Data Protection Regulation (“GDPR”), any transfer of personal data from the European Economic Area (“EEA”) to a third country (a “Transfer”) shall take place only if it is made in accordance with the GDPR.
The GDPR allows Transfers on the basis of an adequacy decision taken by the European Commission (“EC”) where the third-country ensures an adequate level of protection for personal data.
When there is no adequacy decision, Transfers may take place if appropriate safeguards such as the Standard Contractual Clauses have been implemented by the controller and/or processor.
What are the new SCCs?
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-US Privacy Shield mechanism on the ground that it does not ensure guarantees essentially equivalent to those required by the GDPR and the Charter of Fundamental Rights of the European union (“Charter”) for a Transfer. Following this decision, the European Commission issued on June 4, 2021 new Standard Contractual Clauses (“SCCs”) repealing the existing SCCs implemented by the EU Decision 2001/497/EC and Decision 2010/87/EU and commonly used by organizations. The SCCs strengthen data protection safeguards, clarify the respective obligations of controllers and processors and improve transparency towards data subjects.
How does Coveo comply with the GDPR when there is a Transfer?
Coveo relies on different mechanisms when there is a Transfer:
-
The SCCs
When Coveo acts as a processor of Personal Data (as defined in Coveo Data Processing Addendum (“DPA”), Coveo signs the SCCs with all its customers when there is a Transfer of Personal Data. Coveo has therefore included the SCCs into its DPA which allows both Coveo and its customers to comply with the GDPR.
When Coveo acts as a controller of personal data towards its suppliers, Coveo ensures that the SCCs are in place where there is a Transfer.
-
EC Adequacy decision for the EU-US Data Privacy Framework
Coveo complies with the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework as set forth by the U.S. Department of Commerce when there is a transfer of personal data. Please refer to this page for more information.
Has Coveo performed a Transfer Impact Assessment (“TIA”)?
Yes. When the Transfer is based on the SCCs, controllers and processors should warrant through an assessment - a TIA - that, at the time of agreeing to the SCCs, they have no reason to believe that the laws and practices applicable to the data importer are not in line with the requirements laid out in the SCCs.
Coveo customers may choose to store Customer Data in the EEA, in the U.S., in Canada or in Australia. In such cases, Coveo then transfers Personal Data to Canada, which offers an adequate level of protection, and to the U.S in order to provide the Hosted Services (as defined in Coveo Customer Agreement).
Does Coveo take into account transfers of personal data made to and from the United Kingdom (“UK”)?
A Transfer of Personal Data under the UK GDPR mirrors the EU GDPR, but the UK can independently adjust those rules.
A Transfer of Personal Data from the EEA to the UK may take place without additional safeguards since the EC has considered on 28 June 2021 that the UK offers an adequate level of protection for personal data.
The UK has implemented its own adequacy regulations when there is a transfer of personal data from the UK to a country that offers an adequate level of protection for personal data under the UK GDPR. Adequacy regulations cover the EEA and Canada for instance.
Where there is a transfer of personal data from the UK to a third-country which does not offer an adequate level of protection, the transfer shall be subject to “appropriate safeguards” as set forth by Article 46 of the UK GDPR:
- EU SCCs and the UK International Data Transfer Addendum that came into force on 21 March 2022;
- The UK Extension to the EU-US Data Privacy Framework that came into force on October 12, 2023.
Coveo has implemented both mechanisms to secure onward transfers.
