Skip navigation

Providing a robust cloud-specific solution for international data transfers

Following the Schrems II ruling, companies worldwide face difficulties with the uncertainty surrounding international data transfers.

A primary challenge they encounter is finding an adequate legal framework that offers the necessary flexibility to effectively navigate global markets without jeopardizing the protection of data subjects.

We recognized the need for a tool that will address the uncertainty of international data transfers while nurturing innovation and growth


Complementing the EU Cloud CoC to become a safeguard pursuant to Article 46 GDPR

Just like the EU Cloud CoC, the Third Country Transfers Module is aligned with the cloud industry’s architecture and applies to “business to business” (B2B), where the cloud service provider is acting as processor.

Additionally, the module:

  • Incorporates the requirements derived from relevant EDPB guidelines, recommendations and the CJEU rulings,
  • Emerges as a versatile Chapter V solution that presents the advantage of covering data transfers to multiple jurisdictions, enabling organizations to operate globally,
  • Provides a compliance mechanism equipping organizations with an optimal tool to identify appropriate, technical, contractual and organizational supplementary measures,
  • Includes standardized mechanisms through which cloud service providers can effectively support customers and controllers and by that facilitate compliance with documentation and communication requirements.

The preliminary draft of the Third Country Transfers Module is currently open for public consultation on the EU Cloud CoC website.

The EU Cloud CoC General Assembly welcomes the participation of all interested parties in reviewing and providing feedback on this initial version.

 

Give feedback on the draft Module  as your insights will meaningfully contribute to shaping an effective solution for all cloud environments. 

Hear from chairpersons of the initiative

Learn more about the Third Country Transfers Module from the experts leading the initiative: Jelena Kljujic and Thomas Nietsch

Here's how the module is structured:

To achieve compliance with the Module cloud service providers will need to comply with the "General Obligations" and "Transfer Impact Assessment" sections.

General Obligations

Relates to general data protection principles that must be in place and which are derived from the Guidelines 04/2021 of the EDPB. This section covers principles such as transparency, fairness and lawfulness, purpose limitation, data minimization and accuracy, limited storage of data, processing of sensitive data, security, compliance with instructions from the controller (for processors), including rules on the use of processors or sub processors, and rules on onward transfers.

Transfer Impact Assessment

It is the core of the module which introduces a methodology for cloud service providers to assess the impact and security implications of the third country transfer in the following ways:

  • identifying and documenting factors such as laws or practices applicable to the third country transfer and determining whether the implementation of supplementary measures are necessary to guarantee a level of data protection equivalent to that ensured within the EU by GDPR and,
  • assessing and identifying the adequate supplementary measures.

Transfer Impact Assessment

Frequently Asked Questions

No, the Third Country Transfers Module Initiative is currently creating a dedicated safeguard for the third country data transfers as an on-top Module to the EU Cloud CoC. Therefore, the EU Cloud CoC is an approved and operational tool that enables Cloud Service Providers to demonstrate compliance solely regarding Article 28 GDPR and all its related articles.

Once the Third Country Module is finalized and if approved by the Supervisory Authorities, it will consist of an a on-top structure which adherent services to the EU Cloud CoC can opt to be verified against.

The EU Cloud CoC General Assembly is currently developing an on-top Module to the EU Cloud CoC which seeks to create a dedicated safeguard for third country data transfers pursuant to Article 46 GDPR. This additional tool that is being developed is called the Third Country Transfers Module and its first draft has been published and is open for public consultation.

The Third Country Transfers Module will only effectively become a third country transfer safeguard once it receives the positive opinion of the EDPB, the approval of the lead Supervisory Authority and when the European Commission grants its General Validity pursuant Article 40 GDPR.

No, the Third Country Transfers Module is currently in its development phase and, therefore, is not yet completed. As the EU Cloud CoC General Assembly continuously works on the development of the Module, a first draft has been published alongside an open consultation. The main goal of the publication of the draft version as well as of promoting a public consultation is to enable the cloud and privacy communities to contribute to the Module and ultimately develop an effective and comprehensive solution for all stakeholders involved.

The Third Country Transfers Module is being developed by the EU Cloud CoC General Assembly. Therefore, all voting General Assembly members of the EU Cloud CoC can join the working group responsible for the drafting of the initiative.

For those who are interested in applying for EU Cloud CoC Membership, please refer to our Online Application Form.

The Third Transfers Country Module is an on-top Module of the EU Cloud CoC and, therefore, shall be also monitored by SCOPE Europe.

In this context it is crucial to note that the accreditation of a monitoring body under the GDPR must be connected to a specific code of conduct. Despite of being an on-top structure of the EU Cloud CoC, the Third Country Transfers Module has a different scope than the EU Cloud CoC itself. Against this background, SCOPE Europe must undergo a specific and separate accreditation process to be able to oversee compliance with the Third Country Transfers Module.

The Third Country Transfers Module is an on-top module of the EU Cloud CoC. Consequently, the participation in the development of the Module is currently included in the Membership fee of the EU Cloud CoC. From the moment the Third Country Transfers Module becomes operational, a dedicated pricing scheme relating to the verification of compliance shall be released. 

No. While the Initiative certainly aims to tackle the Schrems II ruling and recognizes that Schrems II originated from a case involving the US, it's important to note that the repercussions and effects of this ruling extend beyond the boundaries of the US. Consequently, the Third Country Transfer Module intends to cover any third country transfers irrespective the applicable third country, i.e. the Module applies globally. 

Yes, the Third Country Module is being developed in order to create a safeguard to be applied globally.

The Third Country Transfers Module applies the definition of transfer established by the EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.