Transfers of personal data to countries outside of the European Economic Area (EEA) are often essential in view of international trade or cooperation. Your SME may have to transfer personal data to a country outside the EEA in the course of its activities, for example, when you need to share personal data with your business partners or with your suppliers who are based outside the EEA.
The GDPR contains specific provisions for such transfers. With these provisions, the GDPR aims to guarantee an equivalent level of protection to personal data being transferred to the one they enjoy within the EEA.
When does a transfer of personal data outside the EEA occur?
The GDPR does not provide a definition of such transfers. However, the EDPB has identified the following three cumulative criteria to identify a transfer outside the EEA:
- a controller or a processor is subject to the GDPR for the given processing;
- this controller or processor discloses by transmission or otherwise makes personal data available to another organisation (data controller or processor);
- this other organisation is in a country outside EEA or is an international organisation.
How to transfer personal data outside the EEA?
In a nutshell, the GDPR imposes restrictions on the transfer of personal data outside the EEA, to non-EEA countries or international organisations, to ensure that the level of protection of individuals granted by the GDPR remains the same.
Personal data may only be transferred outside of the EEA in compliance with the conditions for such transfers laid down in Chapter V of the GDPR.
The conditions for transfers have to be respected in addition to the general compliance with other GDPR rules. For example, these conditions form an additional requirement to the basic processing principles, which also need to be respected in the context of international transfers. When transferring personal data, you still need to make sure that you have an appropriate legal basis for processing; that the necessary security measures are implemented; that you only process the personal data necessary for this particular processing activity (principle of data minimisation), etc. If the recipient of the personal data acts as data processor, you are still legally required to set up a contract. Just like you would for a processor within the EEA.
Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals. In the absence of either an adequacy decision or appropriate safeguards, the GDPR allows for some derogations in certain situations.
You will find more information on the different options below.
Data transfers on the basis of an adequacy decision
The European Commission has the possibility to adopt adequacy decisions to formally confirm, with binding effect on EEA countries, that the level of data protection in a non-EEA country or an international organisation is essentially equivalent to the level of protection in the European Economic Area.
When assessing the adequacy of the level of protection, the European Commission considers elements like rule of law, respect for human rights and fundamental freedoms, as well as whether or not data subjects’ rights are effective and enforceable, the existence and effective functioning of an independent data protection authority in the non-EEA country and the international commitments the country or international organisation has entered into.
If the European Commission decides that the country offers an adequate level of protection and an adequacy decision is adopted, personal data can be transferred to another company or organisation in that non-EEA country without the data exporter, i.e. the entity transferring the data, being required to provide further safeguards or being subject to additional conditions related to international transfers. In other words, the transfers to an “adequate” non-EEA country will be comparable to a transfer of data within the EEA. However, your organisation will still have to comply with the other basics principles of the GDPR, as explained above.
Adequacy decisions may cover a country as a whole or be limited to a part of it (i.e. to a region). Adequacy decisions may cover all data transfers to a country or be limited to some types of transfers (e.g. in one sector).
So far, the European Commission has adopted adequacy decisions for:
- Andorra,
- Argentina,
- Canada (commercial organisations),
- Faroe Islands,
- Guernsey,
- Israel,
- Isle of Man,
- Japan,
- Jersey,
- New Zealand,
- Republic of Korea,
- Switzerland,
- United Kingdom,
- United States (commercial organisations participating in the EU-US Data Privacy Framework),
- and Uruguay.
The European Commission publishes the list of its adequacy decisions on its website.
Data exporters are responsible for monitoring whether adequacy decisions relevant to their transfers are still in force and not in the process of being revoked or invalidated.
Please note that adequacy decisions do not prevent individuals from filing a complaint. Neither do they prevent data protection authorities (DPAs) from exercising their powers under the GDPR.
Data transfers on the basis of appropriate safeguards
In the absence of an adequacy decision, organisations may also transfer personal data where appropriate safeguards vis-a-vis the organisation receiving the personal data can be provided. In addition, individuals must be able to exercise their rights and have effective legal remedies available to them.
Art. 46 GDPR lists a series of transfer tools containing “appropriate safeguards” that you may use to transfer personal data to non-EEA countries in the absence of adequacy decisions. The main types of Art. 46 GDPR transfer tools, relevant to private organisations, are:
- Standard data protection clauses (SCCs);
- Binding corporate rules (BCRs);
- Codes of conduct;
- Certification mechanisms;
- Ad hoc contractual clauses.
Standard contractual clauses (SCCs)
Standard contractual clauses (SCCs) are a set of standardised contracts enabling data exporters to provide appropriate safeguards. It is a tool commonly used by many organisations. The European Commission has the power to adopt SCCs as an appropriate safeguard for transfers of personal data to non-EEA countries under Art. 46(2)(c) GDPR.
On 4 June 2021, the European Commission adopted an implementing decision on SCCs for the transfer of personal data to non-EEA countries under the GDPR. The European Commission also provides a set of standard contractual clauses on their website. Find out more about the standard contractual clauses.
The SCCs address various transfer scenarios and the complexity of modern processing chains. Data controllers and processors can use several options, depending on the specific circumstances of the transfer, which include:
- controller-to-controller (C2C);
- controller-to-processor (C2P);
- processor-to-processor (P2P);
- processor-to-controller (P2C), the processor being in the EU and the controller in a third country.
Other important aspects of the SCCs include:
- a possibility for more than two parties to adhere to the clauses;
- a possibility, with some exceptions, to use SCCs when transferring personal data to a sub-processor in a non-EEA country;
- a possibility, with some exceptions, for individuals to invoke the clauses as third-party beneficiaries;
- rules on liability between the parties in case individuals’ rights are breached;
- Individuals’ right to compensation for damage suffered when their rights as a third-party beneficiary have been breached;
- a requirement to carry out a “transfer impact assessment” documenting the specific circumstances of the transfer, the laws in the country of destination and the additional safeguards put in place to protect the personal data;
- obligations in case of access by public authorities to the data transferred, e.g. the obligation to provide information to data exporters and to challenge unlawful requests.
Binding Corporate Rules (BCRs)
Binding Corporate Rules (BCRs) help ensure an adequate level of protection for data exchanged within a group of companies located both inside and outside the EEA, and are more suited for a multinational group of companies that carries out a large number of data transfers.
BCRs are internal rules adopted by a group of companies, which set out their global policy for transfers of personal data. These rules must be binding and respected by all group entities, regardless of their host countries. Moreover, they must expressly confer enforceable rights on individuals with regard to the processing of their personal data.
The conditions that need to be respected in order to get a BCR approved by the competent DPA are listed in Art. 47 GDPR. There are different conditions for controller BCR, set out in the EDPB BCR-C recommendations and processor BCR, set out in the recommendations adopted by the Working Party 29 and endorsed by the EDPB.
Codes of conduct
The GDPR introduces this new tool for data transfers. Contrary to BCRs, which can be prepared directly by individual groups of companies, codes of conduct are sectorial and developed by associations representing categories of organisations. A system of accredited bodies that monitor the compliance with the code of conduct has to be put in place. The EDPB has taken the initiative to clarify the conditions under which codes of conduct may be used and approved by the competent authorities. In addition to this, the EDPB is also in charge of ensuring consistency of the conditions under which monitoring bodies can be accredited.
Certification
The GDPR introduces this new tool for data transfers to organisations which have been certified by certification bodies or EEA DPAs.
The EDPB has adopted guidelines to clarify the conditions under which a certification mechanism can be put in place. This tool is still under development.
The EDPB is also in charge of ensuring consistency of the conditions to accredit certification bodies.
Ad hoc contractual clauses
If data controllers or data processors decide not to use the European Commission's standard contractual clauses, they can draft their own contractual clauses (“ad hoc” clauses) offering sufficient data protection safeguards. Prior to any data transfer, such ad hoc contractual clauses must be authorised by the competent national DPA in line with Art. 46(3)(a) GDPR, following an opinion of the EDPB.
Read more
Supplementary measures post Schrems II ruling
In its 2020 judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) stressed the possible need for organisations to provide supplementary measures in addition to the appropriate safeguards, when transferring personal data outside the EEA.
SCCs and other transfer tools mentioned under Art. 46 GDPR do not operate in a vacuum. The CJEU stated that data controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis, whether the law or practice of the non-EEA country impinges, for example due to legislation imposing access to data, on the effectiveness of the appropriate safeguards contained in the Art. 46 GDPR transfer tools.
To help exporters with the complex task of assessing the countries receiving the data and identifying appropriate supplementary measures where needed, the EDPB has adopted recommendations.
Data transfers on the basis of derogations
Besides adequacy decisions and Art. 46 GDPR transfer tools, the GDPR contains a third avenue allowing transfers of personal data in certain situations. Subject to specific conditions, you may still be able to transfer personal data based on a derogation listed in Art. 49 GDPR.
Art. 49 GDPR has an exceptional nature. The derogations must be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a non-EEA country, unless that country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place. Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.
Based on Art. 49 GDPR, a transfer, or set of transfers, may be made where the transfer is:
- made with the individual’s explicit consent;
- necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
- necessary for the performance of a contract made in the interests of the individual between the data controller and another person;
- necessary for important reasons of public interest;
- necessary for the establishment, exercise or defence of legal claims;
- necessary to protect the vital interests of the individual in question or other persons, where the individual is physically or legally incapable of giving consent; or
- made from a register which under the national law of an EEA country or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
A certain “necessity test” has to be applied in order to assess the necessity of the transfer. This test requires an evaluation of whether a transfer of personal data can be considered necessary for the specific purpose of the derogation in question.
When none of the above derogations are applicable to a specific situation, it is possible to transfer data for the compelling legitimate interests of the data controller.
However, such transfers are permitted only where the transfer:
- is not repetitive (similar transfers are not made on a regular basis);
- involves data related to only a limited number of individuals;
- is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual);
- is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data; and
- is not being made by a public authority in the exercise of its public powers.
In these cases, organisations are obliged to inform the relevant DPA of the transfer and provide additional information to individuals.
In general, derogations should only be used as a last resort for framing a data transfer – organisations should first assess if it is not possible to use either an adequacy decision or an appropriate safeguard.
When relying on Art. 49 GDPR derogations you must bear in mind that organisations transferring data must also comply with other provisions of the GDPR (have a legal basis for the communication of data, implement security measures, data minimisation, sign a contract if the recipient is a data processor, etc).