Transfers of personal data to third countries

The transfer of personal data to recipients outside the EU is generally prohibited unless:

the third country in which the processing is taking or will be taking place is deemed to provide an adequate level of data protection;
the organisation exporting the data puts in pace appropriate safeguards; or
a GDPR derogation (or exemption) applies

Learn more about transfers to third countries here

Adequate level of data protection

A transfer of personal data to a third country or an international organisation may take place where the European Commission has decided that the third country or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. These countries are sometimes referred to as having been ‘white-listed’. Learn more about those (white-listed) countries with adequacy decisions here 

Privacy Shield

The Privacy Shield is the framework that governs transfers between the EU and US. If the Privacy Shield is used, U.S. companies must first sign up to this framework with the U.S. Department of Commerce here. This Department is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. In order to be able to certify, companies must have a privacy policy in line with the Privacy Principles. They must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework. That being the case, transfers must then be governed by EC approved contractual clauses or binding corporate rules. Learn more about the Privacy Shield here 

Appropriate safeguards

Where there is no adequacy decision on a destination country, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The safeguard for transfers within a group of undertakings is for the group to have a set of approved Binding Corporate Rules. If it’s not a group of undertakings then the transferring organisation must ensure that they incorporate the EC provided model clauses into their controller to processor contracts or controller to controller agreements.

Learn more about binding corporate rules here. Find the controller to controller model contracts here and the controller to processor model contracts here 

Derogations for specific situations

In the absence of an adequacy decision, or of appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on specific conditions. Application of the derogations should not be taken lightly or simplistically. Always consult your supervisory authority before applying any derogations.

If you transfer to countries outside the EU, when you maintain your processor contracts or data sharing agreements, your compliance management app will prompt you for a legal basis and then take you to the appropriate document to use i.e. either the app template or to the EC site for Binding Corporate Rules or the model clauses.

The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.