EDPS - 2023-0367

From GDPRhub
Revision as of 14:11, 25 July 2023 by At (talk | contribs)
EDPS - Case 2023-0367
LogoEDPS.png
Authority: EDPS
Jurisdiction: European Union
Relevant Law:
Article 48(3)(a) Regulation (EU) 2018/1725
Article 50(1)(3) Regulation (EU) 2018/1725
Article 50(1)(d) Regulation (EU) 2018/1725
Article 57(1)(n) Regulation (EU) 2018/1725
Article 58 Regulation (EU) 2018/1725
Article 58(3)(e) Regulation (EU) 2018/1725
Chapter V Regulation (EU) 2018/1725
Type: Other
Outcome: n/a
Started:
Decided: 13.07.2023
Published:
Fine: n/a
Parties: Court of Justice of the European Union (CJEU)
National Case Number/Name: Case 2023-0367
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: EDPS (in EN)
Initial Contributor: n/a

The EDPS found, after the CJEU requested for an authorisation of contractual clauses under Article 48(3)(a) of the EU GDPR, that no data transfers took place that would fall under the scope of such authorisation in the context of the CJEU’s use of the videoconferencing tool Cisco Webex.

English Summary

Facts

Court of Justice (CJEU) had concluded a contract with Cisco International Limited UK (Cisco UK), with certain annexes concluded with Cisco Systems Inc. US (the contract). The contract provided for the use of the videoconferencing solution 'Cisco Webex' and related services.

In August 2021, the EDPS temporarily authorised the use of contractual clauses between the CJEU and Cisco Systems Inc. for transfers of personal data in the CJEU’s use of Cisco Webex and related services (EDPS Decision 2021) in the context of Chapter V of Regulation (EU) 2018/1725 (EU GDPR). In that decision, the EDPS set 14 conditions that the CJEU was required to meet for the renewal of the authorisation.

In October 2022, following an assessment of the CJEU’s implementation report, the EDPS extended temporarily and conditionally the authorisation to use the mentioned contractual clauses (EDPS Decision 2022). In that decision, the EDPS called on the CJEU to clarify several outstanding issues and to introduce further changes to the contractual obligations between the Court and Cisco Systems Inc. US. The CJEU was required to ensure an essentially equivalent level of protection within 16 months after the date of the EDPS Decision 2022 (i.e. by 1 March 2024), by remedying the compliance issues identified in that decision.

Thereafter, in May 2023, the CJEU provided a compliance report and newly redrafted contractual clauses (together ‘the documentation’) to the EDPS to demonstrate the implementation of the conditions set in the EDPS Decision 2022. The CJEU requested for an authorisation of contractual clauses under Article 48(3)(a) of the EU GDPR to be concluded between the CJEU and Cisco Systems Inc. US, in the context of transfers of personal data (Chapter V of the EU GDPR) in the CJEU’s use of Cisco Webex and related services.

Holding

(i) No transfers of personal data

The EDPS took into account that based on the documentation provided to the EDPS there were technical measures, such as end-to-end encryption (Zero Trust Security End-to-End encryption), in place that effectively prevented Cisco’s access to real time (meeting) data of the CJEU. The use of the Zero Trust Security End-to-End encryption was considered, by the EDPS, as one of several technical measures significantly contributing to the integrity and confidentiality of the processing operations.

Furthermore, the EDPS took into account that the personal data in question was processed and stored within the European Economic Area (EEA). Moreover, Cisco UK did not have access to the data of the CJEU by default, and in any case Cisco UK did not access the data without explicit authorisation. Also, none of Cisco’s sub-processors located outside of the EEA had a default remote access to the CJEU’s data processed in the EEA.

In light of the above, the EDPS found that there were no transfer(s) of personal data or otherwise making personal data available by the CJEU to Cisco UK, because the latter was contractually excluded from having access to or accessing personal data on behalf of the CJEU.

(ii) Merely potential and unforeseeable transfers do not fall under Chapter V of the EU GDPR

Nextly, the EDPS held that transfers resulting from unauthorised access by third country entities, which are merely potential and in no way foreseeable, in light of the content or purpose of a contract, do not fall under the scope of Chapter V of EU GDPR. In the EDPS’s view, the unlikely and unplanned character of such risks of such unauthorised access made them unsuitable to be ex ante subjected to the regime of Chapter V of the EU GDPR. It followed, that the EDPS held that for such potential and unplanned transfers, a transfer tool under Chapter V is not required.

In the present case, the EDPS viewed that the transfers resulting from possible remote governmental access to data located in the EEA, (possible under the laws of the United States), are not envisaged nor planned under the contract between the CJEU and Cisco UK. In that sense, the CJEU was considered not to have planned for such transfers to take place in the broader context of the execution of the contract or the CJEU’s ‘stable relationship with Cisco Webex entities’.

Based on the above, the EDPS held that potential transfers of data located in the EEA resulting from the application of third-country laws are not covered by Chapter V of the Regulation, and the Court does not need to provide for appropriate safeguards for them by means of contractual clauses.

(iii) Contractual exceptions that may lead to transfers of personal data

However, the contract did include exceptions to the territorial limitations on processing personal data resulting from specific actions (e.g. when a user makes a technical assistance request or contract management). The EDPS found that in those exceptional situations, transfer(s) of personal data in the context of Chapter V of the EU GDPR may take place. Based on the documentation, the EDPS found that the CJEU had mitigated the application of such exceptions, in a way, that effectively prevented the transfers from taking place. In addition, the EDPS noted that the CJEU had introduced additional organisational measures aimed at limiting the transfer(s) of personal data.

Based on the documentation, the EDPS also considered that the measures introduced by the CJEU effectively prevented the chance that such exceptions were triggered. As a result, even though transfers remained foreseen, the CJEU’s additional internal measures were seen to effectively prevent such transfers from taking place. It followed, that the EDPS held that in those circumstances the transfers did not require an authorisation under Article 48(3)(a) of the EU GDPR.

With regard to a transfer of personal data resulting from a user’s technical assistance request, the EDPS held that the CJEU may rely on the derogation provided for under Article 50(1)(d) (transfer is necessary for important reasons of public interest) and (3) of the EU GDPR. In addition, with regard to transfers resulting from contract management, the EDPS held that the CJEU could also rely on the derogation provided for under Article 50(1)(d) (transfer is necessary for important reasons of public interest) and (3) of the EU GDPR. Thus, such transfers were considered to be not fall within the scope of the present decision.

Conclusion

As a result of the above assessment, the EDPS concluded that the CJEU had complied with the conditions that were imposed within the previous EDPS decisions in 2021 and 2022, and issued a decision in accordance with Article 57(1)(n) and Article 58(3)(e) of the EU GDPR. The EDPS found that there were no data transfers that would fall under the scope of an authorisation under Article 48(3)(a) of the EU GDPR.

The decision was said to be without prejudice to the investigative and corrective powers of the EDPS under Article 58 of the EU GDPR.

Comment

We note, that under authorisation procedures, the EDPS does not carry out an investigation or on-the-spot checks and audit of the processing and flows of personal data in the use of a certain service as they occur in practice and of the effectiveness of the technical and organisational measures implemented and the provider of that service. The scope of EDPS authorisations is limited to verifying that the contractual clauses between the controller and the processor with which the contract is concluded provide appropriate safeguards.

An authorisation decision issued by the EDPS is not a general endorsement nor certification of data protection compliance of the services provided by any entity of the provider which is also stated in the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

EDPS Decision on the Court of Justice of the EU’s request to

authorise the contractual clauses between the Court of Justice
of the EU and Cisco Systems Inc. for transfers of personal data

      in the Court’s use of Cisco Webex and related services

                                     13 July 2023


                                   (Case 2023-0367)

Summary:

This Decision addresses the request from the Court of Justice of the EU (the ‘Court’) for the
renewal of the authorisation of the contractual clauses pursuant to Article 48(3)(a) of
Regulation (EU) 2018/1725 (the ‘Regulation’) .1


Given the Court’s progress in its compliance with the conditions of the EDPS Authorisation
Decision of 31 August 2021 and the EDPS Authorisation Decision of 28 October 2022, the
EDPS finds that there are no transfers that fall under the scope of an authorisation under
Article 48(3)(a) of the Regulation.

In the context of the present Decision, the EDPS has not carried our any investigation or on-
the-spot checks or audit of the processing and flows of personal data in the Court’s use of
Cisco Webex and related services as they occur in practice and of the effectiveness of the
technical and organisational measures implemented by the Court and Cisco.

The exercise of the EDPS powers in the present Decision is without prejudice to investigative

and corrective powers of the EDPS, which may be relied on in a separate procedure to allow
the EDPS to verify the factual assertions made by the exporting Union institutions, bodies,
offices and agencies (EUIs) in the context of authorisation procedures under Articles 48(3)(a),
57(1)(e) and 58(3)(e) of the Regulation.

This Decision is not a general endorsement nor certification of data protection compliance
of the videoconferencing services provided by any Cisco Webex entity.

 







                                                      
1  Regulation (EU) 2018/1725 of the European Parliament and the Council of 23 October 2018 on the protection
   of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices
   and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and
   Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39.



                                                                                              1                                                                   

                                                                  


                                                                  

                                                        Contents

 
I.     PROCEEDINGS..........................................................................................................................................3
II.    BACKGROUNDINFORMATION........................................................................................................4

   A. Previous EDPS decisions..............................................................................................................4
   B. Facts..................................................................................................................................................5

III. LEGALANALYSIS......................................................................................................................................6
   A. Nature of the authorisation under Article 48(3) of the Regulation...................................6

   B. Transfers subject to an EDPS authorisation............................................................................7
       1.       Transfers that could result from exceptions to the Data Residency Programme

                and measures to prevent such transfers from happening...........................................7
       2.       Conditions of EDPS Authorisation Decision of 28 October 2022............................10

   C. Transfers not subject to an EDPS authorisation..................................................................11
       1.       Possible non-EU/EEA governmental access requests.................................................11

       2.       Processing for the Court’s use of Cisco Technical Assistance Service Delivery.13
       3.       Transfers of business customer information.................................................................18

IV. CONCLUSION..........................................................................................................................................18




 

















                                                                                                                                 2 I.      PROCEEDINGS


     1.   This Decision concerns the request from the Court of Justice of the European Union
          (‘the Court’) for authorisation of contractual clauses under Article 48(3)(a) of
          Regulation (EU) 2018/1725 (the ‘Regulation’) to be concluded between the Court
          and Cisco Systems Inc., in the context of transfers of personal data in the Court's
          use of Cisco Webex and related services.     3


     2.   The Court’s use of Cisco Webex and related services generates multiple data flows.
          Based on the information provided to the EDPS by the Court, none of these data
          flows fall under the scope of an authorisation decision under Article 48(3)(a) of the
          Regulation.


     3.   As such, this Decision does not include in its scope transfers provided for under the
          contractbetweentheCourtandtheUKcompanyCiscoInternationalLimited,which
          are effectively prevented by the Court, as described in points 21-26 of this Decision.

     4.   Similarly, this Decision does not include in its scope the transfers of personal data
          that are subject to Article 50(1)(d) of the Regulation, for which an authorisation for

          the EDPS is not required. Under Article 50(6) of the Regulation, the EDPS takes note
          of the categories of cases in which this Article is applied in the Court’s use of Cisco
          Webex services, as described in points 40-55 of this Decision.

     5.   This Decision does not include in its scope transfers potentially resulting from
          unauthorised remote access, as described in points 29-39.


     6.   The EDPS issues this Decision in accordancewithArticle57(1)(n)andArticle58(3)(e)
          of the Regulation.

     7.   This Decision is addressed to the Court.

    








                                                      
2  Regulation (EU) 2018/1725 of the European Parliament and the Council of 23 October 2018 on the protection
   of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices
   and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and
   Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39.
3  The Court concluded a contract (the Enterprise License Agreement - ‘ELA’) with Cisco International Limited
   UK, with certain annexes concluded with Cisco Systems Inc. US. The contract provides for the use of Cisco
   software on premises (Cisco Video Mesh, Cisco Meeting Server, Cisco Unified Communications Manager),
   as well as the provision of Cisco cloud services (Cisco Webex Meetings, Cisco Webex Events) and
   maintenance/support services (Cisco Technical Assistance (‘TAC’) Service Delivery). This information was
   provided to the EDPS in the context of the EDPS Authorisation Decision of 31 August 2021.



                                                                                                     3 II.    BACKGROUNDINFORMATION


    A. PreviousEDPSdecisions

    8. On 31 August 2021, the EDPS temporarily authorised the use of contractual clauses
        between the Court and Cisco Systems Inc. for transfers of personal data in the
        Court’s use of Cisco Webex and related services (‘EDPS Decision of 31 August
               4
        2021’). In that Decision, the EDPS set 14 c5nditions that the Court was required to
        meet for the renewal of the authorisation.

    9. On 30 September 2022, the EDPS issued an interim Decision which prolonged the
        effects of the EDPS Authorisation Decision of 31 August 2021 until 31 October 2022.

    10. On 28 October 2022, following an assessment of the Court’s implementation report

        to the EDPS Decision of 31 August 2021, the EDPS extended temporarily and
        conditionally the authorisation to use the mentioned contractual clauses (‘EDPS
        Decision of 28 October 2022’). In that Decision, the EDPS called on the Court to
        clarifyseveraloutstandingissuesandtointroducefurtherchangestothecontractual
        obligations between the Court and Cisco Systems Inc.


    11. The Court was required to ensure an essentially equivalent level of protection within
        16 months after the date of the Decision of 28 October 2022, i.e. by 1 March 2024, by
        remedying the compliance issues identified in that Decision. The Court was also
        required to provide to the EDPS an intermediate compliance report 12 months after
        the date of that Decision, i.e., by 1 November 2023, demonstrating steps taken to
        implement the conditions set in that Decision.


    12. On 22 May 2023, the Court submitted the following documents:
            Final compliance report;
            Redrafted draft Supplementary Agreement No. 1 to ‘CISCO and Court of Justice

             of the European Union Enterprise License Agreement (ELA)’, together with its
             ◦  Exhibit A: ‘ Contractual Clauses’ (‘contractual clauses’) with its
                       Annex 1a: ‘Cisco Webex Meetings: Transfers of Personal Data’,
                       Annex 1b: ‘Cisco Technical Assistance (‘TAC’) Service Delivery:

                        Transfers of Personal Data’;
                ▪   Exhibit B: ‘List of Sub-processors’;
                ▪   Exhibit C: ‘Information Security Exhibit’;
                ▪   Exhibit D: ‘Data Privacy Sheets’ with its

                       Attachment 1: ‘Webex Meeting Privacy Data Sheet’,
                       Attachment 2: ‘TAC Privacy Data Sheet’.

            Revised ‘Data Transfer Impact Assessment for the Use of CISCO Webex by the
             Court of Justice of the European Union’ (‘Revised TIA’) with Annexes:
                                                      
4  EDPS Authorisation Decision of 31 August 2021 (case 2021-0255).
5  The conditions are listed under Section 3 of the EDPS Decision of 31 August 2021.
6  EDPS Authorisation Decision of 28 October 2022 (case 2022-0902).



                                                                                            4              ◦   Annex I: ‘Videoconference Policy’;

             ◦   Annex II: ‘OSU Cisco TAC management procedure’;
             ◦   Annex III: ‘Registre des activités de traitement des données personnelles -
                 Services de vidéoconférence et de communication unifiée’ and ‘Information
                 notice on the protection of personal data - Video Conferencing Services

                 (Cisco Webex Meetings)’.

    B. Facts


    13. The EDPS explained its understanding of the contractual obligations between the
         Court and Cisco Systems Inc., and other Cisco entities in points 2.1.-2.6. of the EDPS
         Decision of 28 October 2022. These findings of fact are not being repeated here for

         the sake of brevity.

    14. Based the submitted documents, the EDPS understands the following as new or
         clarified facts:


       14.1. ‘User-Generated Information’ refers to Meeting Recordings, Transcriptions
             of meeting recordings, Uploaded Files, which include real-time meeting data
             such as VoIP, video and high frame rate sharing data.   7

       14.2. The ‘Webex Data Residency for EU countries’ programme, deployed by

             Cisco International Limited, is activated with regard to all of the Court’s
             personal data and ensures that personal data processed by Cisco International
             Limited and its affiliates under its agreement with the Court is processed in

             Frankfurt, Germ8ny, with a back-up data centre in Amsterdam, The
             Netherlands. The Court verified the application of this choice through the
             Control Hub of Webex.   9

       14.3. The deployment of the Webex Data Residency programme for the Court’s

             personal data, including real-time data, means that all processing operations,
             including storage, take place in the Court’s geographic region mentioned in
             point 14.2. Based on assurances from Cisco International Limited       10 and the

             specific11ontractual obligations between the Court and Cisco International
             Limited , Cisco International Limited located in the UK does not access the
             data of the Court by default, and in any case does not access the data of the
             Court without explicit authorisation. In addition, none of the Cisco sub-

             processors located outside of the European Economic Area (EEA) have a
             default remote access to the Court’s data processed in the EEA.


                                                      
7  Point 2 of Annex 1a to Exhibit A to the Supplementary Agreement.
8  Article 1(4)(iii) of the Supplementary Agreement.
9  Point 26 of the Revised TIA.
10 Emails received by the Court from Cisco with clarifications concerning remote access received, transmitted
   to the EDPS on 13 and 17 February 2023 (registered in the internal EDPS case management system).
11
   Article 4(4)(c) of the Supplementary Agreement (last paragraph on page 5 thereof). This paragraph
   incorporates the EDPS requirements under Condition 13 of the EDPS Decision of 31 August 2021.



                                                                                              5 III. LEGALANALYSIS

    A. NatureoftheauthorisationunderArticle48(3)oftheRegulation


     15. Under Article 46 of the Regulation, any transfer of personal data which are
         undergoingprocessingorareintendedforprocessingaftertransfertoathirdcountry
         or to an international organisation shall take place only if, subject to the other

         provisionsoftheRegulation,theconditionslaiddowninChapterVoftheRegulation
         are complied with by the controller and processor, including for onward transfers of
         personal data from the third country or an international organisation to another
         third country or to another international organisation. All provisions in Chapter V

         of the Regulation shall be applied in order to ensure that the level of protection of
         natural persons guaranteed by this Regulation is not undermined.

     16. In the absence of a decision pursuant to Article 45(3) of Regulation (EU) 2016/679       12
         or to Article 36(3) of Directive (EU) 2016/680 1, a controller or processor may transfer

         personal data to a third country or to an international organisation only if the
         controller or processor has provided appropriate safeguards, and on condition that
         enforceable data subject rights and effective legal remedies for data subjects are
         available.


     17. Subject to the authorisation from the EDPS, appropriate safeguards may be provided
         for by, in particular, contractual clauses between the controller or processor and the
         controller, processor or the recipient of the personal data in the third country or
                                      14
         international organisation.

     18. The EDPS authorisations granted under Article 48(3)(a) of the Regulation have for
         their object such transmissions of personal data that qualify as transfers under the













                                                      
12 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
   of natural persons with regard to the processing of personal data and on the free movement of such data,
   and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR), OJ L 119, 4.5.2016, p. 1.
13 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of

   natural persons with regard to the processing of personal data by competent authorities for the purposes of
   the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal pen-
   alties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
14 (Law Enforcement Directive), OJ L 119, 4.5.2016, p. 89.
   Article 48(3)(a) of the Regulation.



                                                                                                  6          Regulation. Observing the authorising nature of such EDPS decisions, the EDPS6
         in this role aims to check contractual compliance with the Regulation of the
         exporting EUIs. Under authorisation procedures, the EDPS does not carry out an

         investigationoron-the-spotchecksandaudit of the processing and flows of personal
         data in a EUI’s use of a certain service as they occur in practice and of the
         effectiveness of the technical and organisational measures implemented by the EUI
         and the provider of that service. The scope of EDPS authorisations is limited to

         verifying that the contractual clauses between the controller and the processor with
         which the contract is concluded provide appropriate safeguards. This does not
         exempt the controller from fulfilling its obligations under Article 29 of the
         Regulation, including in relation to transfers.


    19. The exercise of authorisation powers is without prejudice to investigative and
         corrective powers of the EDPS which may be relied on in a separate procedure to
         allow the EDPS to verify the factual assertions made by the exporting EUIs in the
         context of authorisation procedures under Articles 48(3)(a) and 58(3)(e) of the

         Regulation.

    20. An authorisation decision issued by the EDPS is not a general endorsement nor
         certification of data protection compliance of the services provided by any entity of
         the provider.




    B. TransferssubjecttoanEDPSauthorisation


         1. Transfers that could result from exceptions to the Data Residency
            Programmeandmeasurestopreventsuchtransfersfromhappening


    21. In light of the facts presented in point 14.3, the EDPS finds that in the case at hand
         there is no disclosure by transmission or otherwise making personal data available
         by the Court to Cisco International Limited UK. It is because the latter is
         contractually excluded from having access to or accessing Court’s personal data


                                                      
15 Since the Regulation introduces no legal definition of a ‘transfer’, the EDPS relies in particular on the
   cumulative criteria to qualify a processing operation as a transfer as identified by the EDPB Guidelines on
   the Interplay between the application of Article 3 and the provisions on international transfers as per

   Chapter V of the GDPR, Version 2.0 adopted on 14 February 2023 (‘EDPB Guidelines 05/2021’).
   In the interest of a coherent approach to personal data protection throughout the Union, and the free
   movement of personal data within the Union, the legislators aligned the Regulation as far as possible with
   the data protection rules adopted for the public sector in the Member States. In line with Recital 5 of the
   Regulation, whenever the provisions of the Regulation follow the same principles as the provisions of the
   GDPR,those two setsof provisions should,under thecaselawof the Court of JusticeoftheEuropeanUnion,
   be interpreted homogeneously, in particular because the scheme of this Regulation should be understood
   as equivalent to the scheme of the GDPR. Consequently, the EDPS by analogy relies on guidance issued by
   the EDPB in the context of its interpretation of the Regulation where the interpreted provisions and
16 principles, like in this case, are the same.
   As opposed to corrective and investigative powers of the EDPS under Article 58(1) and (2) of the Regulation.



                                                                                                7           located in the EEA. In addition, based on the description in the documentation
          provided to the EDPS, technical measures such as Zero Trust Security End-to-End
                                                                                                     18
          encryption effectively prevent Cisco’s access to real time meeting data. As such,
          the transmission of personal data by the Court to data centres located in the EEA
          under the Data Residency Programme does not meet all of the criteria identified by
                                                                                                                 19
          the European Data Protection Board (EDPB) that would qualify it as a transfer.
          Considering they are not transfers in the sense of Chapter V of the Regulation,

          these processing operations are not includ20 in the scope of this Decision under
          Article 48(3)(a) of the Regulation. It follows that when the Webex Data Residency
          programme is deployed for the personal data in Court’s use of Cisco Webex services,

          there are no transfers of personal data.

     22. While there are contractual exceptions to the deployment of the Webex Data

          Residency programme because of ‘specific actions or use of functions by the user
          administratororuser’ ,asaresultofwhichtransfersof personal data may take place,
          the EDPS considers that, based on the information provided, the Court has

          mitigated their application in a way that effectively prevents the transfers
          from taking place in the following manner                  2:




                  Description of an exception to Mitigating measures introduced
                                                  23
                  Webex Data Residency                               by the Court

                  Customer or user registers a user on any The users of the Court do not need

                  Cisco platform (for example, through to register themselves on any Cisco
                  www.webex.com or www.cisco.com) or platform or a Cisco service in order


                                                      
17  Section 6 of Annex 1a to Exhibit A to the Supplementary Agreement as well as point 25 of the Final
    Compliance Report where the Court certifies that ‘access to data stored in the EEA by the Supplier, i.e., Cisco
    International Limited, and its sub-processors has been contractually excluded under Art. 1(4)(c)(second last
    paragraph) of the Supplementary Agreement and confirmed by Cisco through clarifications provided in emails

18  to the CJEU of 13 and 17 February 2023.’
    For description of its functioning see section 3.1.10 of the EDPS Authorisation Decision of 28 October 2022.
    The EDPS notes that the Court updated its documentation and information notice to be provided internally
    and externally, including technical requirements for the use of Zero Trust Security End-to-End encryption.
    This documentation was provided to the EDPS as Annex III to the Revised TIA.
19  The EDPB has identified three cumulative criteria to qualify a processing operation as a transfer in its
    Guidelines 05/2021, point 9 (see footnote 15). In the case at hand, condition 2 is not fulfilled because there
    is no disclosure by transmission or otherwise making available of data.
20
    Even if one was to consider that condition 2 of the EDPB Guidelines 05/2021 is fulfilled, the EDPS notes that
    these transmissions would take place to the UK that is covered until 27 June 2025 by the adequacy decision
    under Article 45 of the GDPR and therefore such transfers would have to comply with Article 47 of the
    Regulation. It follows that even if these transmissions were qualified as transfers, they would not fall under
    the scope of this Decision under Article 48(3)(a) of the Regulation.
21  Section 6 of Annex 1a to Exhibit A to the Supplementary Agreement.
22  As regards exceptions to the Data Residency Program resulting from (i) a user making a technical

    assistance request to the Cisco Technical Assistance Center and (ii) the Court providing ordering
23  information to Cisco, see respectively Sections C.2.and C.3. of this Decision.
    Para 45 of the Revised TIA, page 24 of Annex 1a to Exhibit A and Point 4 of Attachment 1 to Exhibit D.




                                                                                                                 8                through any Cisco service to learn more to use Webex. External users are
               about Cisco products or events            also not required to perform such a
                                                         registration.4


               A user engages in collaboration with The Court deactivated the option
               users outside of the EU region            Global Distributed Meetings, as a
                                                         result of which data transfers do not

                                                         take   place   when    there   is  a
                                                         collaboration with users outside of
                                                         the EEA region.   25The processing
                                                         operations take place on media

                                                         nodes located in the EEA. Webex
                                                         Meetings users located out of the
                                                         EEA    and    participating   in   a
                                                         videoconference organised by the

                                                         Court connect to a media node
                                                         located in the EEA.

               Customer, user, or user administrator     The     Court     blocks    optional
                                                         functionalities     that       might
               enables certain optional functionalities;
               or a user or user administrator enables   necessitate a transfer of personal
               cell phone “push” notifications (in which data       without       appropriate
               case the cell phone provider associated   safeguards.26 In addition, the Court
               with iOS or Android functionality may     requires   that  only   professional

               transfer data outside of the region).     devices be used for work related
                                                         communications, and explained that
                                                         these devices have ‘push’notifications
                                                         disabled at default.7


    23. The EDPS considers that the use of the Webex Zero Trust Security End-to-End,
        applicable to the User Generated Data , is one of several technical measures
        significantly contributing to the integrity and confidentiality of processing

        operations under Article 4(1)(g) of the Regulation, as well as the security and
        confidentiality of electronic communications, systems and networks Article 36 of the
        Regulation. 29

    24. In addition, the Court introduced additional organisational measures aimed at

        limiting the transmission of personal data. With regard to User Information: for the
                                                      
24
25 Paras 132(a) and 143 of the Revised TIA.
26 Point 6 of Annex 1a to Exhibit A.
27 Para 132(e) of the Revised TIA.
   Para 132(f) of the Revised TIA. The Court has provided the EDPS with copies of its internal policies that
   confirm that such instructions are given to its staff – attachment to the revised TIA titled Lignes directrices
   relatives aux communications électroniques à la Cour de justice de l’Union européenne, adopted on 13
28 December 2021.
29 Point 3.72 of the EDPS Authorisation Decision of 28 October 2022.
   For description of its functioning see section 3.1.10 of the EDPS Authorisation Decision of 28 October 2022.



                                                                                            9          phone number, mailing address, password and user information included in the
         Court’s directory, the Court uses an identity provider (F5) to identify the users of

         the Court and transmit their data to Cisco through a Security Assertion Markup
         Language (‘SAML’) protocol. Hence, the personal data transmitted is restricted to
         the name and e-mail address. For the avatar, the Court allows its users to choose it
         themselves, and if no choice is made, the avatar is not processed. 30


    25. With regard to the Host and Usage Information: for internal users’ IP Addresses and
         IP Addresses along the Network Path, including internal users connected remotely,
         the Court will use the IP addresses of the Court. For call attendee information,
         including email addresses, username, phone numbers and room device information,

         the Court will: a) not require a user name for external users in a manner allowing for
         the identification of a physical person unless this is required for the proper conduct
         of the meeting or event organised; b) not require external users to provide the email
         addresses, phone numbers or room device information when joining a meeting. In

         addition, according to the Court, meetings are conducted with Voice Over Internet
         Protocol only, which avoids transmission of phone numbers to conduct a Webex
         meeting. 31


    26. Based on the information provided, the EDPS considers that the measures that the
         Court has introduced effectively prevent the chance that the contractual exceptions
         to the Webex Data Residency are triggered. As a result, even though transfers
         remain foreseen under the ELA between the Court and Cisco Systems Inc.,

         the Court’s additional internal measures effectively prevent such transfers
         from taking place. It follows that in these circumstances there are no transfers
         which would require an authorisation under Article 48(3)(a) of the Regulation.


         2. ConditionsofEDPSAuthorisationDecisionof28October2022

    27. Based on the Final Compliance Report, the EDPS’ understanding of facts under
         points 13 and 14 above and considering that some (possible) transfers are not subject
                                   32
         to an EDPS authorisation   , the EDPS finds that the Court complied with all the
         conditions imposed in the EDPS Authorisation Decision of 28 October 2022.

    28. In relation to Condition 6 of the EDPS Authorisation Decision of 28 October 2022
         as regards the relevance of compliance with Protocol No. 7 to the Treaties on the
                                                                                 33
         Privileges and Immunities of the European Union (the ‘Protocol’)          , the EDPS
         concludes the following: the protections afforded by the Protocol extend to personal
         data contained in the archives of the EUIs insofar as such archives contain personal


                                                      
30 Point 143 of the Revised TIA.
31 Point 143 of the Revised TIA.
32
33 See below Section C. Transfers not subject to an EDPS authorisation.
   Condition 6 of the EDPS Authorisation Decision of 28 October 2022 reads as follows: ‘Assess to what extent
   thePrivilegesandImmunitiesoftheCourtbasedonArticle2ofProtocolVIIoftheTreatyontheFunctioning
   of the European Union are recognized in the legal framework of Cisco Systems Inc. US or of its sub-
   processors’.



                                                                                             10          data. The high level of protection that Article 16 TFEU and Article 8 of the Charter
         afford to personal data include, whenever applicable, the protection afforded by the

         Protocol insofar as inviolable archives of the Union contain personal data. In that
         sense, Article 8 of the Charter should be interpreted in conformity with the
         provisions on the secrecy of Union archives in Article 2 of the Protocol in

         order to protect against disclosure of personal data which are part of such
         archives. The assessment of the compliance with the Protocol is however not
         required for the purposes of this Decision. Nevertheless, the EDPS recommends that
         the Court consider the provisions on the secrecy of Union archives in Article 2 of the

         Protocol.

    C. TransfersnotsubjecttoanEDPSauthorisation


         1.    Possiblenon-EU/EEAgovernmentalaccessrequests

     29. In the EDPS Authorisation Decision of 28 October 2022, the EDPS stressed that

         ‘[e]ven if the personal data was stored and processed in the data centres located in the
         EU, the EDPS highlights that such data localisation in the EU in itself and on its own
         does not preclude risks of remote access, in particular in the context of third countries’
         public authorities possible access to data stored (and processed) in the EU. The EDPS

         required that the Court assess, and if finds to be present, properly mitigate, the risk
         of unauthorised disclosure as a result of third-country laws with extra-territorial
         reach.36 


     30. Following the additional explanations provided by the Court, in particular in revised
         documents submitted on 22 May 2023 , the EDPS has reassessed the above risk in
         relation to both the applicable legal framework (i), and the circumstances of the case
         (ii).


         (i) Applicability of Chapter V of the Regulation to merely potential transfers and
         obligations to ensure integrity and confidentiality of personal data against risks of
         remote access.

                                  38
     31. According to the EDPB , a processing operation may be qualified as a transfer when
         three cumulative criteria are met: (1) a controller or a processor (‘exporter’) is subject
         to the GDPR for the given processing, 2) the exporter discloses by transmission or

         otherwise makes personal data, subject to this processing, available to another
         controller, joint controller or processor (‘importer’), and 3) the importer is in a third



                                                      
34 CJEU, 17 December 2020, Commission v. Slovenia, C-316/19, ECLI:EU:C:2020:1030, para 73-75 and 78.
35 Point 3.9 of the EDPS Authorisation Decision of 28 October 2022.
36 Ibid.
37 See point 12 of this Decision.
38 As indicated above (footnote 15), the EDPS by analogy relies on guidance issued by the EDPB in the context

   of its interpretation of the Regulation where the interpreted provisions and principles, like in this case, are
   the same



                                                                                                11          country, irrespective of whether or not this importer is subject to the GDPR for the
                                                                                              39
         given processing in accordance with Article 3, or is an international organisation.

    32. The EDPS finds that for transfers meeting the three cumulative criteria and which
         are envisaged under a contract, i.e., transfers that the controller knows or should

         foresee in the broader context of the execution of the contract, or under other
         organised relationship, a transfer tool under Chapter V of the Regulation must be
         relied upon before any such transfers occur.


    33. In that vein, remote access from a third country constitutes a trans40r when it
         happens if the three above-mentioned criteria are met.                Equally, remote
         governmental access under third-country laws to personal data located and
         processed in the EEA, when it takes place, results in transfers of personal data. 41


    34. However, in the EDPS opinion, the mere risk that remote access by third country
         entities to data processed in the EEA may take place, does not constitute a transfer
         subjected to Chapter V of the Regulation.


    35. The EDPS considers that transfers resulting from unauthorised access by third
         country entities, which are merely potential and in no way foreseeable in light of the
         content or purpose of a contract or another stable relationship between the parties,

         do not fall under the scope of Chapter V of the Regulation. The unlikely and
         unplanned character of such risks of such unauthorised access renders them
         unsuitabletobeexantesubjectedtoregimeofChapterVoftheRegulation.Itfollows
         that for such potential and unplanned transfers a transfer tool under that Chapter

         is not required.

    36. The EDPS recalls that the risks of such potential transfers resulting from the
         application of third-country laws to processors located in the EEA must be part of
                                                                                               42
         controller’s analysis and assessment in line with the principle of accountability.
         Before engaging a processor, the controller must assess the possible application of
         third country extra-territorial laws in order to ensure that, as required by Article 29

         of the Regulation, it only uses processors providing sufficient guarantees to
         implement appropriate technical and organisational measures so that the processing
         is in line with the Regulation.  43Where the processor complies with a disclosure
         request in violation of the controller’s instructions and thus Article 29 of the

         Regulation, that processor shall be, in line with Article 29(10) of the Regulation,
         considered an independent controller of that processing.



                                                      
39 EDPB Guidelines 05/2021, point 9.
40 EDPB Guidelines 05/2021, point 16.
41 By analogy see point 24 of the EDPB Guidelines 05/2021.
42 See also Section 3.6 ‘Risk of access by foreign governments when using non-EU CSPs storing data in the
   EEA’ of the ‘EDPB report ‘2022 Coordinated Enforcement Action Use of cloud-based services by the public
   sector’ adopted on 17 January 2023.
43 By analogy, see point 24 of the EDPB Guidelines 05/2021. See also Section 5 ‘Points for attention for public
   bodies’, in particular page 32, of the EDPB Report on the 2022 Coordinated Enforcement Action.




                                                                                              12      37. When concluding contractual arrangements and providing instructions to the

         processor in line with Article 29 of the Regulation, particular attention should be
         paid to the observance of the principles of integrity and confidentiality under Article
         4(1)(f),andtherelatedArticles33and36oftheRegulationlayingdownrequirements

         for security of the processing operations and security and confidentiality of
         electronic communications, systems and networks.

         (ii) Assessment of the processing operations relevant for the present Decision


     38. In the case at hand, transfers resulting from possible remote governmental access to
         data located in the EEA, while theoretically possible under the laws of the United
         States , are not envisaged nor planned under the contract between the Court and

         Cisco International UK. In that sense, the Court does not plan for such transfers to
         take place in the broader context of the execution of that contract or its stable
         relationship with Cisco Webex entities.


         (iii) Conclusion


     39. Based on the above, the potential transfers of data located in the EEA data
         centres resulting from the application of third-country laws are not covered
         by Chapter V of the Regulation, and the Court does not need to provide for
                                                                                        45
         appropriate safeguards for them by means of contractual clauses.                  As such,
         the EDPS does not include these transfers in the scope of this Decision under Article
         48(3)(a) of the Regulation.


         2.     ProcessingfortheCourt’suseofCiscoTechnicalAssistanceService
                Delivery


     40. One of the exceptions to the Data Residency Program, mentioned in point 22 above,
         iswhenausermakesatechnicalassistancerequesttotheCiscoTechnicalAssistance

         Center (‘TAC’). As a result, transfers to the United States of personal data included
         in the TAC Support Information and Customer Case Attachment take place. In7           48
         order to provide support, Cisco can also access and process User Information as well
                                           49
         as Host and Usage Information.


                                                      
44 Point 3.11 of the EDPS Authorisation Decision of 28 October 2022.
45 However, should Cisco or any sub-processors receive a request from a third country for access or disclosure

   of data in the Court’s use of Cisco Webex services and the Court intends to positively respond to such a
   request, the Court must ensure that such a transfer pursuant to the access request complies with Chapter
   V of the Regulation.
46 Categories of personal data: name, email address, phone number of the employee appointed to open the
   service request, authentication information (exclusive of passwords), work organization and responsibilities,
   current employer name (see point A.2 to Annex 1b to Exhibit A to the Supplementary Agreement).
47 Personal data contained in Customer Case Attachments depend on what is included those Attachments by
   the customer (see point A.2 to Annex 1b to Exhibit A to the Supplementary Agreement).
48 Points 22 and 66 of the Revised TIA.
49 Point 63 of the Revised TIA.




                                                                                                 13     41. According to the Court, the use of TAC support leads to the processing of TAC
         Support Information and the Customer Case Attachments that both include
         personal data. In any case, to provide support, Cisco can access and process User
         Information as well as Host and Usage Information. The TAC Support Information

         and Customer Case Attachments are transferred in all situations to the United
         States: to Salesforce for TAC Support Information and to AWS for Customer Case
         Attachments.

    42. The Court took organisational measures to limit or avoid transfers of personal data

         outside of the EU/EEA in the context of TAC requests. In the adopted and distributed
         internalpolicytoitsstaffmembers,theCourtlaiddowntheproceduretobefollowed
         should support be needed in staff’s use of Cisco Webex services. First, no user can
         directly open a support case with Cisco. Any support request must be first directed
         to the internal help desk (single point of contact) of the Court, which provide

         a first level of support to Court’s staff. Should this first level of support provided by
         the internal help desk not suffice, the request is transferred to the second layer of
         support, i.e. Court’s network engineers. Should any problem related with the
         infrastructure need an escalation to the Cisco TAC support service, this activity is

         organised and done respecting the following rules: 
              Only the authorized Court network engineers can introduce support requests
               to the Cisco TAC service. No personal data relating to the problem is provided
               to Cisco TAC.

              The requests shall be sent to Cisco during the normal Luxembourg working
               hours (8h-19h).

              If further Court data is requested by the Cisco TAC service, the information
               requested should be analysed to determine if it contains personal data.
              In case personal data is involved, the Court network responsible, the Court’s

               DPO and the SSI service shall be informed.
              The Court network engineers, in collaboration with the DPO, shall analyse the
               content of the data and the measures to be taken in order to ensure the

               protection of personal data.
              In case Cisco needs to have remote access to the Court’s Cisco Webex
               infrastructure, the DPO of the Court, in collaboration with the Court network

               engineers, shall analyse the possible risks for the data subjects and decide on
               the legitimacy of this access. 

    43. The EDPS understands that in practice the number of TAC requests initiated by the
         Court does not exceed to 2-3 tickets per year and only takes place where the

         internal Court services cannot solve the issue itself.


                                                      
50 Ibid.
51 Annex II to the revised TIA titled ‘OSU Cisco TAC management procedure’; it was made available to the
   Court’s staff members on 31 January 2023.
52 Assertions made by the Court’s representatives, including the DPO, during an internal meeting at the EDPS
   premises of 25 November 2021.



                                                                                             14     44. With regard to technical safeguards, the Court confirmed that TAC Support

         Information and Customer case attachments are only accessed by Cisco staff, and
         that no personnel from third-party service providers have access to this data. The53
         TAC Support Information is encrypted in transit, while Case Attachments are
         encryptedbothintransitandatrest,inordertosecurepersonaldatafromaccidental
                                                                               54
         loss and unauthorised access, use, alteration, and disclosure.           The keys for
         encryption are managed by Cisco.    55

    45. The EDPS considers that the Court transfers personal data, whether by electronic

         transmission or by making it available to Cisco Systems Inc., for the provision of
         technical support, and that this data is not effectively pseudonymised nor encrypted
         because the processing requires accessing data in the clear.          56Based on his

         understanding of facts, the EDPS is of the opinion that the residual sets of transfers
         resulting from TAC requests cannot be covered by appropriate safeguards, despite
         reasonable efforts of the Court to provide for organisational and technical measures
         vis-à-vis unlikely and small risks of such transfers to data subjects’ rights and

         freedoms. It follows that in these circumstances the Court is unable to provide for
         appropriate safeguards in the form of contractual clauses because effective
         supplementary measures are not conceivable without undermining the aim of the

         providing TAC support. Therefore, these transfers do not fall in the scope of this
         Decision under Article 48(3)(a) of the Regulation.

    46. However, having regard to the need for the Court to dispose of stable services

         provided by Cisco in order to perform its tasks in the public interest, as well as the
         safeguards put in place, the EDPS is of the opinion that these transfers resulting
         from TAC requests can take place in accordance with Article 50, notably by relying
         on Article 50(1)(d) of the Regulation.


    47. Article 50(1) of the Regulation provides that in the absence of an adequacy decision
         pursuant to Article 45(3) of GDPR or to Article 36(3) of the Law Enforcement
         Directive, or of appropriate safeguards pursuant to Article 48 of this Regulation, a

         transfer or a set of transfers of personal data to a third country or an international
         organisation shall take place only where specific conditions are met. Point d) of
         Article 50(1) lists one of these conditions, namely ‘when the transfer is necessary for
         important reasons of public interest’. Such public interest shall be recognised in
                    57
         Union law.

    48. In parallel to what is provided for in Article 49 of the GDPR     58, derogations under
         Article 50 of the Regulation are exemptions from the general principle that personal


                                                      
53 Para 67 of the Revised TIA.
54 Para 93 of the Revised TIA.
55 Point 5 of the Court’s answer of 15 September 2022.
56 See Use Case 6 of the EDPB Recommendations 01/2020 on measures that supplement transfer tools to
   ensure compliance with the EU level of protection of personal data, adopted 18 June 2021 (‘EDPB
   Recommendations 01/2020’).
57 Article 50(3) of the Regulation.
58 See footnote 15.




                                                                                              15          data may only be transferred to third countries or international organisations if an
         adequate level of protection is provided for in the third country or international

         organisation or if appropriate safeguards have been adduced and the data subjects
         enjoy enforceable and effective rights in order to continue to benefit from their
         fundamental rights and safeguards. Due to this fact and considering that Article 50
                                                                                  60
         of the Regulation must be interpreted in accordance with the Charter , derogations
         can apply only in so far as is strictly necessary and must be narrowly construed.     61
         Derogations must also be interpreted restrictively so that the exception does not
                        62
         become a rule. This is also supported by the wording of the title of Article 50 which
         statesthatderogationsaretobeusedforspecificsituations(‘Derogationsforspecific
         situations’).3


    49. When considering transferring personal data to third countries or international
         organizations, data exporters should therefore favour solutions that provide data

         subjects with a guarantee that they will continue to benefit from the fundamental
         rights and safeguards to which they are entitled as regards processing of their data
         once this data has been transferred. As derogations do not provide adequate

         protection or appropriate safeguards for the personal data transferred and as
         transfers based on a derogation are not required to have any kind of prior
         authorisation from the supervisory authorities, transferring personal data to third

         countries on the basis of derogations leads to increased risks for the rights and
         freedoms of the data subjects concerned.   64


    50. The derogation of Article 50(1)(d) of the Regulation requires that the transfer of
         personal data is necessary for important reasons of public interest recognised in
         Union law. In the first place, the data exporter must identify and document the

         existence of such ‘public interest’. Examples of public interest may include
         management and functioning of the EUIs        65, or public security or health . The
         identified public interest must be explicitly ‘recognised’ in ‘Union law’, which

         encompasses EU primary laws, general principles of EU law, international
         agreementsrecognisingacertainobjectiveorprovidingforinternationalcooperation
         to foster that objective (as long as EU and/or the Member States are party to these
                     67
         agreements   ), EU secondary laws, case law of the Court of Justice of the EU, as well
         as internal rules of the EUIs as long as they meet the requirements to be considered
         ‘Union law’ under Recital 23 of the Regulation.



                                                      

59
   EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (‘EDPB Guidelines
   2/2018’), page 4.
60 CJEU, 13 May 2014, Google Spain and Google, C-131/12, ECLI:EU:C:2014:317, para 68 and case-law cited.
61 CJEU, 11 December 2014, František Ryneš, C-212/13, ECLI:EU:C:2014:2428, paras 28-29 and case-law cited.
62 EDPB Guidelines 2/2018, page 4.
63 Ibid.
64
65 EDPB Guidelines 2/2018, page 4.
   Recital 22 of the Regulation.
66 Recital 69 and Article 25(1)(a) of the Regulation.
67 EDPB Guidelines 2/2018, page 10.




                                                                                              16      51. As any processing operation, such as a transfer, is an interference with the

         fundamental rights, provisions of Article 50 of the Regulation must be interpreted in
         light of the Charter, in particular its Article 52(1). Therefore, in the second place, the
         data exporter must assess and document whether the planned transfer of personal

         data respects the essence of the rights and freedoms that the transfer interferes
         with, and whether the planned transfer is in accordance with the principles of
         proportionalityandnecessity.Inotherwords,thedataexportermustsatisfyitself

         that it is necessary to process the personal data in question to attain the identified
         important public interest and that there are no less intrusive measures which would
         be comparably effective , as well as that, on balancing of interests, the identified
         public interest is important enough to justify the interference in question. As part

         ofthatanalysis,thedataexportermustconsider,interalia,thecategoriesofpersonal
         data transferred and of data subjects, character (e.g., large-scale   70) and regularity of
         the transfers (systematic , or occasional and non-repetitive). Article 50(1)(d) of the

         Regulation may not be relied on for transfers that are both large-scale and
         systematic. 72

     52. In the case at hand, the EDPS finds that there is a public interest of ensuring

         management and functioning of the Court, as also confirmed by Recital 22 of the
         Regulation: being auxiliary to the main service of video-conferencing, technical
         assistance support is a quintessential element for proper functioning of video-

         conferencing software in line with state-of-the-art integrity and security standards.
         In turn, having a properly functioning video-conferencing tool has become
         indispensable to the daily functioning of the EUIs, such as the Court, as it allows for
         remote communication of staff members working from home.


     53. Further, there is no alternative measure which would be less intrusive to the rights
         and freedoms of data subjects, and which would be comparably effective to the

         current set-up of TAC requests at the Court. Considering that, based on the
         information provided, the processing operations involve limited categories of
         personaldata,transfersareveryrareandaffectverylimitednumberofdatasubjects,
         the Court may rely for transfers resulting from TAC requests on the

                                                      
68 See Step 4 of steps to be followed are described in ‘Assessing the necessity of measures that limit the
   fundamental right to the protection of personal data: A Toolkit’.
69 See ‘Checklist for assessing proportionality of new legislative measures’, p. 12-33, in EDPS Guidelines on
   assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection
   of personal data.
70 Article 29 Working Party (‘WP29’) indicated that the following factors should in particular be consider when
   determining if a processing operation is ‘large-scale’: the number of data subjects concerned - either as a

   specific number or as a proportion of the relevant population, the volume of data and/or the range of
   different data items being processed, the duration, or permanence, of the data processing activity, the
   geographical extent of the processing activity (see WP29 Guidelines on Data Protection Officers, endorsed
   by the EDPB, p. 8).
71 Transfers are systematicwhen they regularlyoccurwithina stablerelationship (seeEDPBGuidelines2/2018
   on derogations of Article 49 under Regulation 2016/679, p. 9). WP29 defined ‘systematic’ as meaning one or
   more of the following: occurring according to a system, pre-arranged, organised or methodical, taking place
   as part of a general plan for data collection, carried out as part of a strategy (see WP29 Guidelines on Data
   Protection Officers, endorsed by the EDPB, p. 9).
72 EDPB Guidelines 2/2018, page 11.




                                                                                                  17         derogation provided for under Article 50(1)(d) and (3) of the Regulation. It
        follows that such transfers do not fall within the scope of the present
        Decision.


         3.   Transfersofbusinesscustomerinformation

    54. One of the exceptions to the Data Residency Program, mentioned in point 22 above,
        is when a Customer, i.e., the Court, provides ordering information (business contact
        information). The Court explained that the ordering information is handled in the
        contract between the Court and Cisco International Limited UK. No further business
                                                                                73
        contactinformationisrequiredfortheuseofWebexservicesbytheCourt. Personal
        data transferred are the name and surname of the representative of the Court
        empowered to enter into the contract, as well as names, surnames and email
        addresses of Court’s contacts for service management and technical matters. That
        data may be handled at a Cisco data centre in any location, and certainly is
        transferred to the United States.

    55. Similartothereasoninginpoints49-53above,theEDPSisoftheopinionthatRecital
        22 of the Regulation recognises the public interest of the Court in concluding and

        managing contracts for necessary services that are linked with the management of
        that institution. Likewise, there is no alternative measure which would be less
        intrusive to the rights and freedoms of data subjects, and which would be
        comparably effective. Considering that, based on the information provided, the
        processing operations involve very limited categories of personal data, transfers are
        very rare and affect very limited number of data subjects, the Court can, for
        transfers resulting from contract management, make use of the derogations

        provided for under Article 50(1)(d) and (3) of the Regulation. It follows that
        such transfers do not fall within the scope of the present Decision.

IV.      CONCLUSION


    56. Pursuant to Article 58(3)(e) of the Regulation, the EDPS finds that there are no
        transfers of personal data that would fall under the scope of an authorisation
        decision of contractual clauses referred to in Article 48(3)(a) of the Regulation.

    57. This Decision is without prejudice to EDPS’ investigative and corrective
        powers under Article 58 of the Regulation.

Done at Brussels, 13 July 2023




Wojciech Rafał WIEWIÓROWSKI

        (e-signed)

73                                                    
   Point 132 b) of the Revised TIA.



                                                                                        18