Providing a robust cloud-specific solution for international data transfers
Following the Schrems II ruling, companies worldwide face difficulties with the uncertainty surrounding international data transfers.
A primary challenge they encounter is finding an adequate legal framework that offers the necessary flexibility to effectively navigate global markets without jeopardizing the protection of data subjects.
We recognized the need for a tool that will address the uncertainty of international data transfers while nurturing innovation and growth
The preliminary draft of the Third Country Transfers Module is currently open for public consultation on the EU Cloud CoC website.
The EU Cloud CoC General Assembly welcomes the participation of all interested parties in reviewing and providing feedback on this initial version.
Give feedback on the draft Module as your insights will meaningfully contribute to shaping an effective solution for all cloud environments.
Hear from chairpersons of the initiativeLearn more about the Third Country Transfers Module from the experts leading the initiative: Jelena Kljujic and Thomas Nietsch
Here's how the module is structured:
To achieve compliance with the Module cloud service providers will need to comply with the "General Obligations" and "Transfer Impact Assessment" sections.
Relates to general data protection principles that must be in place and which are derived from the Guidelines 04/2021 of the EDPB. This section covers principles such as transparency, fairness and lawfulness, purpose limitation, data minimization and accuracy, limited storage of data, processing of sensitive data, security, compliance with instructions from the controller (for processors), including rules on the use of processors or sub processors, and rules on onward transfers.
Transfer Impact Assessment
It is the core of the module which introduces a methodology for cloud service providers to assess the impact and security implications of the third country transfer in the following ways:
- identifying and documenting factors such as laws or practices applicable to the third country transfer and determining whether the implementation of supplementary measures are necessary to guarantee a level of data protection equivalent to that ensured within the EU by GDPR and,
- assessing and identifying the adequate supplementary measures.