Implementing Supplementary Measures

Implementing Supplementary Measures

Overview

EDPB Recommendations 01/2020 (Version 2.0, adopted 18 June 2021) establish that where a Transfer Impact Assessment reveals protection gaps in the destination country's legal framework, supplementary measures must be adopted to bring the level of protection up to the EU standard of essential equivalence. These measures fall into three categories: technical, contractual, and organisational. The measures must be effective in practice — not merely theoretical — and their effectiveness must be reassessed at appropriate intervals.

Technical Supplementary Measures

Measure T1: End-to-End Encryption with EU-Held Keys

Description: Personal data is encrypted before leaving the EU/EEA using strong encryption algorithms, with decryption keys held exclusively by the data exporter or a trusted entity within the EU/EEA. The data importer in the third country receives and stores only ciphertext.

Technical specification at Athena Global Logistics:

• Algorithm: AES-256-GCM for data at rest; ChaCha20-Poly1305 as alternative for streaming data
• Key management: AWS KMS with Customer Managed Keys (CMK) hosted in the eu-central-1 (Frankfurt) region; keys never exported outside EEA
• Key rotation: Automatic rotation every 365 days; immediate rotation upon suspected compromise
• Certificate management: X.509 certificates issued by the internal PKI hosted in Berlin; certificate pinning for API endpoints
• Implementation: Application-layer encryption performed by the exporter's middleware before data is transmitted to the importer

Effectiveness: High — the third-country government cannot compel the importer to produce plaintext data because the importer does not possess the decryption keys. This measure is effective against compelled disclosure at rest and in transit.

Limitation: Only applicable where the importer does not need to process the data in plaintext. If the importer must read, analyse, or transform the data, this measure alone is insufficient.

Applicable scenario: Backup storage, archival, and transit-only scenarios where the importer serves as a conduit or storage provider.

Measure T2: Pseudonymisation with EU-Held Mapping Table

Description: Directly identifying personal data elements are replaced with pseudonymous identifiers before transfer. The mapping table linking pseudonyms to real identities is held exclusively by the data exporter within the EU/EEA.

Technical specification at Athena Global Logistics:

• Pseudonymisation method: HMAC-SHA256 with a secret key held in the Berlin key vault; applied to: customer names, email addresses, phone numbers, and customs identification numbers
• Mapping table: Stored in a dedicated PostgreSQL instance in the Frankfurt data centre; access restricted to the data protection team (4 authorised users)
• Transfer payload: Pseudonymised dataset retains consignment references, shipping addresses (generalised to city level), and delivery dates — sufficient for the importer to perform logistics operations
• Re-identification: Only possible by the exporter using the secret HMAC key and mapping table

Effectiveness: High — the transferred dataset cannot be attributed to identified natural persons by the importer or any third party (including government authorities) without access to the mapping table.

Limitation: Requires that the importer can fulfil its processing purpose without accessing the original identifying data. Not suitable where the importer must contact data subjects directly or produce documentation bearing real names.

Measure T3: Split Processing

Description: The processing operation is divided such that no single entity in the third country holds the complete dataset. Each fragment, viewed in isolation, does not constitute personal data or cannot be attributed to an identified individual.

Technical specification at Athena Global Logistics:

• Architecture: Two-party split where customer identity data (names, contact details) remains in the Frankfurt data centre and only operational data (consignment IDs, routing codes, timestamps) is transferred to the Hong Kong processing centre
• Linkage prevention: The transferred dataset uses internal reference codes that are meaningful only when joined with the identity dataset held in Frankfurt
• Recombination: Performed only within the EU/EEA environment by the exporter's analytics platform

Effectiveness: High — neither the importer nor the destination country government can reconstruct the full personal dataset from the transferred fragment alone.

Limitation: Requires significant architectural investment and may reduce the importer's processing efficiency. Applicable only where the processing can be meaningfully divided.

Measure T4: Transport-Layer Encryption

Description: All data transfers are protected by transport-layer security (TLS 1.3 or equivalent) to prevent interception in transit.

Technical specification at Athena Global Logistics:

• Protocol: TLS 1.3 mandatory for all API endpoints; SFTP with AES-256 for batch file transfers
• Cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 (weak cipher suites disabled)
• Certificate validation: Mutual TLS (mTLS) authentication between exporter and importer systems
• HSTS: HTTP Strict Transport Security with max-age=31536000, includeSubDomains

Effectiveness: Medium — protects data against interception in transit by third parties but does not protect against compelled disclosure of data at rest by the importer or government authorities accessing the importer's systems.

Applicable as: Baseline measure for all transfers, combined with other measures for comprehensive protection.

Measure T5: Anonymisation Before Transfer

Description: Personal data is irreversibly anonymised before transfer, rendering the transferred dataset outside the scope of the GDPR (Recital 26).

Technical specification at Athena Global Logistics:

• Technique: k-anonymity (k=5) combined with l-diversity applied to aggregated shipment analytics data
• Generalisation: Geographic data generalised to country level; dates generalised to month; volumes aggregated to weekly totals
• Singling-out test: Conducted per WP29 Opinion 05/2014 on Anonymisation Techniques to verify no individual can be singled out, linked, or inferred from the anonymised dataset

Effectiveness: Complete — anonymised data is not personal data and Chapter V transfer rules do not apply. However, the utility of the data for the importer may be significantly reduced.

Contractual Supplementary Measures

Measure C1: Obligation to Challenge Government Access Requests

Contractual clause: The data importer undertakes to challenge any government access request that: (a) is disproportionate to the stated legal objective; (b) exceeds the scope authorised by the applicable legislation; (c) is incompatible with the protections afforded by the SCCs. The importer shall exhaust all available legal remedies before disclosing any data in response to a government request.

Implementation at Athena Global Logistics: Included as Clause 3.1 of the SCC Supplementary Measures Addendum executed with TransPacific Freight Solutions Ltd on 15 March 2025.

Measure C2: Transparency Obligation for Government Access

Contractual clause: The data importer shall notify the data exporter within 48 hours of receiving any government access request relating to transferred personal data. Where local law prohibits notification, the importer shall use best efforts to obtain a waiver of the prohibition and shall, at minimum, provide aggregated statistical information about government requests received on an annual basis.

Implementation: Included as Clause 3.2 of the SCC Supplementary Measures Addendum. Additionally, TransPacific Freight Solutions publishes an annual transparency report covering all government data access requests by jurisdiction and legal basis.

Measure C3: Audit Rights

Contractual clause: The data exporter or its designated independent auditor has the right to conduct on-site or remote audits of the data importer's data processing facilities, systems, and records at least once during each 12-month period, with 30 days' prior written notice. The importer shall cooperate fully with the audit and provide access to all relevant personnel, systems, and documentation.

Implementation: Included in SCC Clause 8.9 and supplemented by Clause 3.3 of the Addendum specifying the audit scope, methodology, and reporting requirements.

Measure C4: Warrant Canary

Contractual clause: The data importer shall publish a monthly statement confirming that, during the preceding month, it has not received any government order that would require the disclosure of transferred personal data under circumstances that would prevent notification to the data exporter. The absence of such a statement shall serve as notice to the exporter.

Implementation: TransPacific Freight Solutions publishes the warrant canary statement on the 5th business day of each month on a dedicated page of its corporate website accessible to Athena Global Logistics.

Measure C5: Data Localisation Commitment

Contractual clause: The data importer shall not transfer, store, or process the transferred personal data in any jurisdiction other than the agreed destination country (Hong Kong SAR) without the prior written consent of the data exporter. Sub-processor processing in other jurisdictions requires execution of separate SCCs or equivalent safeguards.

Implementation: Included as Clause 3.5 of the Addendum; enforced through technical controls restricting data replication to the Hong Kong data centre only.

Organisational Supplementary Measures

Measure O1: Internal Access Policies

Description: The data importer implements strict role-based access controls limiting data access to the minimum number of named personnel with a documented business need.

Implementation at TransPacific Freight Solutions:

• 12 named employees authorised to access transferred personal data
• Access justified by individual role description and approved by the Privacy Officer
• Quarterly access reviews conducted; access revoked within 24 hours upon role change
• Access logs retained for 24 months and available to the exporter upon request

Measure O2: Transparency Reports

Description: The data importer publishes periodic transparency reports detailing the number and nature of government data access requests received, to the extent permitted by local law.

Implementation: Annual transparency report published in Q1 covering the preceding calendar year. Report includes: number of requests by jurisdiction, legal basis cited, data categories requested, and outcome (full disclosure, partial disclosure, challenge, withdrawal).

Measure O3: ISO 27001/27701 Certification

Description: The data importer obtains and maintains independent certification against ISO 27001:2022 (information security) and ISO 27701:2019 (privacy information management), providing third-party verification that technical and organisational measures meet international standards.

Implementation: TransPacific Freight Solutions certified to ISO 27001:2022 (certificate valid to 31 December 2026) and ISO 27701:2019 (certificate valid to 31 December 2026). Surveillance audits conducted annually by TUV Rheinland.

Measure O4: Incident Escalation Protocol

Description: Documented procedure for the importer to escalate data protection incidents, including government access events, to the exporter within defined timeframes.

Implementation:

• Government access request received: Notify exporter within 48 hours (or immediately if disclosure is imminent)
• Data breach involving transferred data: Notify exporter within 24 hours per SCC Clause 8.6
• Employee misconduct involving data access: Notify exporter within 72 hours
• Escalation chain: Importer Privacy Officer → Exporter DPO → Exporter Legal Counsel → Exporter Board (if material)

Effectiveness Assessment Matrix

Measure	Technical Risk Addressed	Effectiveness Against Compelled Disclosure	Effectiveness Against Bulk Surveillance	Residual Risk
T1 — E2E encryption with EU keys	Data at rest and in transit	High	High	None if keys remain in EU
T2 — Pseudonymisation	Re-identification	High	High	Low — sophisticated attacks may enable re-identification through auxiliary data
T3 — Split processing	Complete dataset exposure	High	High	Low — requires careful architecture to prevent fragment recombination
T4 — TLS 1.3	Transit interception	High (transit only)	Medium	Medium — does not protect at rest
T5 — Anonymisation	All — data is no longer personal	Complete	Complete	None — but utility is reduced
C1 — Challenge obligation	Disproportionate requests	Medium	Low	Medium — effectiveness depends on importer's legal standing and judiciary
C2 — Transparency	Visibility	Medium	Low	Medium — may be blocked by gag orders
C3 — Audit rights	Compliance verification	Medium	Low	Medium — retrospective, not preventive
C4 — Warrant canary	Gag order detection	Low-Medium	Low	High — indirect signal only
O1 — Access policies	Insider risk	Medium	Low	Medium — does not prevent compelled disclosure
O2 — Transparency reports	Accountability	Medium	Low	Medium — aggregate data only
O3 — ISO certification	Control assurance	Medium	Low	Medium — certification is point-in-time

Selection Methodology

1. Identify the specific EEG gaps from the TIA (Step 3 output).
2. For each gap, identify which supplementary measure category addresses it.
3. Prioritise technical measures as the first line of defence — they provide the strongest protection.
4. Layer contractual measures to create legal obligations that reinforce technical protections.
5. Add organisational measures to provide governance and verification.
6. Assess whether the combined package of measures effectively bridges all identified gaps.
7. If gaps remain unbridgeable, the transfer must not proceed.
8. Document the selection rationale in the TIA record.