Trans-national data traffic is regulated differently compared to data protection in the Single European Market. The Data Protection Directive (95/46/EC) determines the legality of data transmissions from Germany to other countries.). According to § 4b (1) BDSG other regulations are applicable for data transfer within the Single European Market compared to data transfers to so-called “third countries”. Third countries are those, which are not 1) a member state of the EU, 2) a contracting member state of the European Economic Area or 3) an institution of the EU.
Within the EU / the EEA & ADV
The admissibility check of data transmissions within the Single European Market is determined by national law. According to § 4 (1) BDSG, a legal basis or consent of the data subject is necessary.
Processing carried out on behalf of a controller however is regulated differently. These are privileged if the transfer occurs within the EU and the EEA. Processors are not considered “third parties” by that privilege (see Processing carried out on behalf of a controller). Forwarding personal data is thus not considered a “transmission”.
Outside the EU/ EEA (third countries)
In order to transfer data outside of the EU an EEA, a two-step assessment is required, in which the general admissibility check is followed by the verification that the transfer respects the data protection level of the recipient country. § 4b BDSG regulates in subparagraph 2 a transmission prohibition, which is consistent with Article 25 (1) of the EU Directive. A company with a German branch must therefore be convinced of the adequate data protection level of the recipient country in order to process, save or use personal data. In the event that the data protection level is insufficient, a transmission must be refrained from, since otherwise the personal right of the data subject would be disproportionately infringed.
Sufficient data protection level
If an appropriate protection level exists, then the basic prohibition of data transmission as per § 4b (2) BDSG can be refrained from. The European Commission can declare the adequacy of a data protection level as comparable with the EU according to Article 25 (6) of the Directive. The current third countries declared as with sufficient data protection level include:
The list of current third countries declared as having an adequate data protection level and more information can be seen here:
The confirmation of sufficient data protection level by the responsible authority requires, according to § 4 (5) BDSG, an extensive examination of the aspects mentioned in § 4 (3) BDSG, including:
- the type of data
- the intended purpose
- the duration of planned processing
- the country of origin and final destination
- the applicable legal standards for the receiver of the personal data
- the applicable professional ethics and security measures of the receiver
Insufficient data protection level
Transmission into third countries with insufficient data protection level is possible, if the statutory exceptions of § 4c (1) BDSG or if, according to § 4 (2), the relevant supervisory authority has approved some procedures.
Standard contractual clauses
For the approval, the responsible authority must express binding guarantees in the form of contractual clauses. The necessity, to have these approved separately by the supervisory authority, as soon as the EU standard contractual clauses are employed without changes. If contracts deviating from the standard clauses are formulated, then these guarantees must be verified by the supervisory authorities with reference to the data protection level.
“Binding corporate rules” can also be introduced within groups. Parent companies and subsidiaries can facilitate the international and trans-maritime data transfer within the company with the help of these “Binding-Corporate-Rules” (BCR). The company’s internal regulations must be legally mandatory for all parts of the group of companies with the same effect.
A checklist created by the European Union and instructions for applications for approval of company’s internal agreements can be found here:
Special case privacy shield
Agreements about regulations for guaranteeing data protection exist between the USA and the EU. US companies can submit to this “privacy shield” regulations. With that, an appropriate data protection level is considered as achieved at present.