New EU data protection law: Data transfer to third countries
International business transactions often involve cross border transfer of personal data. This is the case for instance where the data is stored on a server located in a third country (a country outside the EEA) or a third country IT service provider has access to the data processed by a company within the EU. If personal data is to be transferred to a third country specific provisions of the GDPR will apply.
Adequacy decision of the EU-Commission
The EU-Commission is entitled to take a decision whether an appropriate level of data protection is guaranteed in the recipient third country. So far, the Commission has decided that e.g. Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Jersey, Isle of Man, Switzerland, New Zealand and Uruguay provide the necessary data protection standards. Data transfers into these countries shall be deemed as if these were made within the EU.
Similarly, the EU-Commission adopted the decision on the ‘EU-US Privacy Shield’ in favour of the United States of America. According to the EU-US Privacy Shield American companies voluntarily undergo a certification procedure. Data transfers to companies which have been accordingly certified may take place basically without individual authorization by the supervisory authority.
In the absence of an adequacy decision regarding a third country, personal data may nevertheless be transferred to this country if the controller or processor has provided appropriate safeguards and on the condition enforceable data subject rights and effective legal remedies for data subjects are available. Otherwise, an individual authorization by the supervisory authority is required. Appropriate safeguards include among others the followings:
- Binding Corporate Rules (BCR)
Binding corporate rules are data protection policies that are applied in one or more third countries by companies of a group of undertakings. The BCRs have to be legally binding in and apply to every member concerned in the group of undertakings. Furtmermore, BCRs shall be approved by the competent supervisory authority and shall fulfill the minimum requirements regarding BCRs set out specifically in the GDPR.
- Standard Contractual Clauses
Data transfers to a third party may also take place on the basis of model contract clauses. Model contractual clauses shall either be adopted by the EU-Commission or adopted by the supervisory authority and approved by the EU-Commission. The Commission has so far adopted such model contracts in 2001, 2004, 2010 for data transfers between controllers or a controller and a processor which, however, do not entirely fulfill the new requirements under the GDPR.
- Approved codes of conduct
Association and other bodies representing companies may prepare codes of conduct, which may also serve as a legal basis for data transfers, provided that they are approved by the competent supervisory authority.
- Approved certification mechanism
The establishment of certification mechanism, including bodies accredited to audit and certify compliance, is encouraged under the GDPR.
In the absence of an adequacy decision or of appropriate safeguards, data may nonetheless be transferred if the data subject has been informed of the possible risks of the proposed transfer and has explicitly consented thereto. Data transfers are also permitted without individual authorization – among others – if the transfer is necessary for the conclusion or the performance of a contract concluded with or in the interest of the data subject or for the protection of vital interests of the data subject or for the establishment, exercise or defense of legal claims.
Should you have any queries, please do not hesitate to contact one of our offices.
Further articles on the topic "General Data Protection Regulation 2018"