International Data Transfers in GDPR
Updated: Aug 12
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
Article 44 explains international data transfers as below;
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
Companies can rely on 3 different legal bases for data transfer to a third country or an international organisation. These are explained in detail below.
Transfers on the basis of an adequacy decision
Article 45.1 states that a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. Currently there are 12 countries that the European Commission found adequate for free data movement.
EU adequacy agreements have faced increased scrutiny over the last two years: in 2015, the European Court of Justice ruled the EU safe harbour deal with the United States to be illegal because the US did not protect Europeans from government surveillance. The Commission signed off last year on the privacy shield, a replacement arrangement to uphold billions of euros in digital trade between the EU and the US.
In addition to the controversial privacy shield deal with the US, the EU has adequacy agreements that allow companies to share data with Switzerland, Andorra, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay.
Next year, EU privacy standards will become even tougher when the bloc’s sweeping new data protection regulation goes into effect.
In an opening speech at Wednesday’s privacy conference, EU Justice Commissioner Vera Jourova said that more and more countries outside the EU are passing their own privacy laws.
Gencarelli told conference attendees that paves the way for adequacy agreements that allow businesses to move data seamlessly across borders. It is easier for the Commission to agree to deals with other countries that have broad privacy laws like the EU does, he said. The US, for example, has sectoral rules but does not have sweeping privacy legislation.
“If we want a solution for international transfers – long-lasting – it has to be built on convergence and on hard law convergence,” he said.
Transfers subject to appropriate safeguards
Article 46.1 states that in the absence of a decision pursuant to Article 45 (adequacy), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
1- Standard data protection clauses by The Commission
Companies can rely on standard clauses published by The Commission (2010). This is the most common way of providing appropriate safeguards supported by a contract. There us a confusion in the ecosystem how to call this, so, you may have heard of this as model contract or model clauses.
2 - Standard data protection clauses by the Supervisory Authority
Supervisory authority can create a different standard contract than to the one published by The Commission. This has to be approved by The Commission. Once approved, it can be used like the one above.
3- Binding Corporate Rules
This method is mostly used for international companies that share data between the subsidiaries or group companies in different countries. It is crucial to mention that the binding corporate rules have to be approved by the supervisory authority and it is a lengthy, difficult process which may take up to 1-2 years. The minimum set of rules that have to be included is explained as below in GDPR Article 47;
the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
their legally binding nature, both internally and externally;
the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
the complaint procedures;
the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
the appropriate data protection training to personnel having permanent or regular access to personal data.
4 - Codes of Conduct
Trade associations or bodies representing a sector can create codes of conduct, in consultation with relevant stakeholders, including the public where feasible. They can amend or extend existing codes to comply with the GDPR requirements. They have to submit the draft code to supervisory authority for approval.
Adhering to a code of conduct shows that you:
follow the GDPR requirements for data protection; and that
are addressing the level of risk relevant to your sector and the type of processing you are doing. For example, in a ‘high risk’ sector, such as processing children’s or health data, the code may contain more demanding requirements.
Adhering to a code of conduct can help you to:
be more transparent and accountable - enabling businesses or individuals to distinguish which processing activities, products, and services meet GDPR data protection requirements and they can trust with their personal data;
have a competitive advantage;
create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals;
help with specific data protection areas, such as international transfers;
improve standards by establishing best practice;
mitigate against enforcement action; and
demonstrate that you have appropriate safeguards to transfer data to countries outside the EU.
5 - Certification
In the UK the certification framework will involve:
the ICO publishing accreditation requirements for certification bodies to meet;
the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register;
the ICO approving and publishing certification criteria for certification schemes;
accredited certification bodies (third party assessors) issuing certification; and
controllers and processors applying for certification and using certifications.
The ICO has no plans to accredit certification bodies or carry out certification at this time, although the GDPR does allow this.
Across EU member states, the EDPB will collate all EU certification schemes in a public register. There is also scope for a European Data Protection Seal.
The GDPR says that certification is also a means to:
demonstrate compliance with the provisions on data protection by design and by default (Article 25(3));
demonstrate that you have appropriate technical and organisational measures to ensure data security (Article 32 (3)); and
to support transfers of personal data to third countries or international organisations (Article 46(2)(f)).
6 - Custom contractual clauses
Custom contractual clauses or provisions agreed by the parties that is authorised by the competent supervisory authority. This process is also not very easy and can take up to 1 year.
Transfers Based Derogations
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations. A transfer, or set of transfers, may be made where the transfer is:
made with the individual’s informed consent;
necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
necessary for the performance of a contract made in the interests of the individual between the controller and another person;
necessary for important reasons of public interest;
necessary for the establishment, exercise or defence of legal claims;
necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
The first three derogations are not available for the activities of public authorities in the exercise of their public powers.
ICAN Consultancy Advice
Standard data protection clauses is the simplest way, use this one if you can. We recommend you to check if your supervisory authority released standard clauses before using the commission's one. If your supervisory authority released one, we'd recommend you to use that one.
Derogations should always be the last choice.
If you (1)have international operations interconnecting local group companies and (2) have to share information between group companies or collect data to manage centrally and (3) number of companies is too high and the structure changes frequently then you can follow the route for corporate binding rules but if the number of group companies is not high or the structure does not change frequently then you may choose to sign contracts with the group companies including standard data protection clauses.
If you want to get in touch and get free consultancy on GDPR, please visit our homepage.
Also, you can claim %90 discount to our GDPR Certification training using this link below; https://www.udemy.com/course/gdpr-compliance-preparation-to-cipp-e-certification-test/?referralCode=222D984161CD11E7C5F4