Onward Transfers of Personal Data under the GDPR

Last updated: September 22, 2021

What are the GDPR rules governing the transfer of personal data to a third-country?

Under the General Data Protection Regulation (“GDPR”), any transfer of personal data from the European Economic Area (“EEA”) to a third country (a “Transfer”) shall take place only if it is made in accordance with the GDPR. 

The GDPR allows Transfers on the basis of an adequacy decision taken by the European Commission (“EC”) where the third-country ensures an adequate level of protection for personal data. 

When there is no adequacy decision, Transfers may take place if appropriate safeguards such as the Standard Contractual Clauses have been implemented by the controller and/or processor.

What are the new SCCs?

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-US Privacy Shield mechanism on the ground that it does not ensure guarantees essentially equivalent to those required by the GDPR and the Charter of Fundamental Rights of the European union (“Charter”) for a Transfer. Following this decision, the European Commission issued on June 4, 2021 new Standard Contractual Clauses (“SCCs”) repealing the existing SCCs implemented by the EU Decision 2001/497/EC and Decision 2010/87/EU and commonly used by organizations. The SCCs strengthen data protection safeguards, clarify the respective obligations of controllers and processors and improve transparency towards data subjects. 

How does Coveo comply with the GDPR when there is a Transfer?

Coveo relies on the SCCs when there is a Transfer. 

When Coveo acts as a processor of Personal Data (as defined in Coveo Data Processing Addendum (“DPA”), Coveo signs the SCCs with all its customers when there is a Transfer of Personal Data. Coveo has therefore included the SCCs into its DPA which allows both Coveo and its customers to comply with the GDPR. 

When Coveo acts as a controller of personal data towards its suppliers, Coveo ensures that the SCCs are in place where there is a Transfer. 

Has Coveo performed a Transfer Impact Assessment (“TIA”)?

Yes. Controllers and processors should warrant through an assessment - a TIA - that, at the time of agreeing to the SCCs, they have no reason to believe that the laws and practices applicable to the data importer are not in line with the requirements laid out in the SCCs.

Coveo customers may choose to store Customer Data in the EEA or in the U.S. In both cases, Coveo then transfers Personal Data to Canada, which offers an adequate level of protection, and to the U.S in order to provide the Hosted Services (as defined in Coveo Customer Agreement). Coveo relies on the SCCs and on a TIA for such transfers, taking into account any relevant contractual, technical or organisational safeguards put in place by Coveo to supplement the SCCs.

Does Coveo take into account transfers of personal data made to and from the United Kingdom (“UK”)?

A Transfer of Personal Data under the UK GDPR mirrors the EU GDPR, but the UK can independently adjust those rules. 

A Transfer of Personal Data from the EEA to the UK may take place without additional safeguards since the EC has considered on 28 June 2021 that the UK offers an adequate level of protection for personal data. 

The UK has implemented its own adequacy regulations when there is a transfer of personal data from the UK to a country that offers an adequate level of protection for personal data under the UK GDPR. Adequacy regulations cover the EEA and Canada for instance. 

Where there is a transfer of personal data from the UK to a third-country which does not offer an adequate level of protection, the UK is still working on different data transfer options that might be relied upon by organizations. Coveo is closely monitoring the UK regulations in this regard and Coveo DPA takes into account the possibility to make amendments to reflect such regulatory changes.