For companies that transfer personal data outside the EU, the rules of the European data transfers are crucial. Data transfers inside the EU are guaranteed a free flow, but data transfers outside its borders are subject to more rigorous rules. The GDPR imposes these obligations not only on controllers but also on processors.
A data transfer to a third country or to an international organization may take place only if Chapter V GDPR is met (see below), so the protection level of data subjects’ rights is not undermined. These rules also apply to the further data transfer (e.g., from the third country or an international organization to another third country or to another international organization).
The GDPR allows for the transfers of personal data only if an adequate level of data protection has been ensured in the target country, or if appropriate safeguards have been provided, and if data subjects can enforce their rights and access effective legal remedies.
Adequate level of personal data protection
Data transfer to a third country or an international organization may take place on the basis of an adequacy decision Art. 45 GDPR. This means, if the European Commission decides that a third country or an international organization ensures an adequate level of protection, any data transfer to this country or international organization may occur without any further specific authorization.
The elements for assessing the adequacy level are listed in Art. 45(2) GDPR (inter alia: relevant legislation, independent supervisory authorities, international commitments, etc.). The Commission’s adequacy decision provides for a periodic self-review mechanism.
If the Commission decides that a third country or international organization no longer satisfies the adequate protection level, it will publish this information in the Official Journal of the European Union and on its website.
It must be remembered that data transfers to the countries deemed as having an adequate level of protection must still take place on the basis of the DPA between the controller and processor (and sub-processors).
If no decision on the adequacy level has been taken, a data transfer to a third party or an international organization may take place, if appropriate safeguards have been provided and if enforceable data subject rights and effective legal remedies for data subjects are available (Art. 46 GDPR). The obligation to provide such appropriate safeguards lies with the controller or processor.
Such appropriate safeguards may be ensured by either:
- a legally binding and enforceable instrument between public authorities or bodies themselves
- binding corporate rules
- standard data protection clauses adopted by the Commission
- standard data protection clauses adopted by a supervisory authority and approved by the Commission
- an approved code of conduct + binding and enforceable controller’s/processor’s commitments in the third country to apply the appropriate safeguards
- an approved certification mechanism + binding and enforceable controller’s/processor’s commitments in the third country to apply the appropriate safeguards
Further, provided, that the authorization from the competent supervisory authority will be obtained, the appropriate safeguards may also be ensured by either:
- contractual clauses between the data controller/processor and the data controller/processor/recipient in the third country/international organization
- provisions inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights