Implementing Supplementary Measures

Overview

EDPB Recommendations 01/2020 (Version 2.0, adopted 18 June 2021) establish that where a Transfer Impact Assessment reveals protection gaps in the destination country's legal framework, supplementary measures must be adopted to bring the level of protection up to the EU standard of essential equivalence. These measures fall into three categories: technical, contractual, and organisational. The measures must be effective in practice — not merely theoretical — and their effectiveness must be reassessed at appropriate intervals.

Technical Supplementary Measures

Measure T1: End-to-End Encryption with EU-Held Keys

Description: Personal data is encrypted before leaving the EU/EEA using strong encryption algorithms, with decryption keys held exclusively by the data exporter or a trusted entity within the EU/EEA. The data importer in the third country receives and stores only ciphertext.

Technical specification at Athena Global Logistics:

• Algorithm: AES-256-GCM for data at rest; ChaCha20-Poly1305 as alternative for streaming data
• Key management: AWS KMS with Customer Managed Keys (CMK) hosted in the eu-central-1 (Frankfurt) region; keys never exported outside EEA
• Key rotation: Automatic rotation every 365 days; immediate rotation upon suspected compromise
• Certificate management: X.509 certificates issued by the internal PKI hosted in Berlin; certificate pinning for API endpoints
• Implementation: Application-layer encryption performed by the exporter's middleware before data is transmitted to the importer