As cross-border data flows continue to play an important role in our global economy, so must data sharing compliance. Within the EU, the rules concerning data privacy are laid down in the General Data Protection Regulation (“GDPR”). The GDPR provides specific rules concerning how and when companies and organisations may collect, process and store the personal data of private individuals. Through these rules, the GDPR seeks to protect the data of private individuals (“data subjects”) and provide them certain rights and access to legal remedies.
The protection offered by the GDPR does not only apply in the EU but “travels” with the data. Because of this, it is important that companies and organisations that transfer personal data to non-EU companies or organisations ensure that the data transfer takes place in full compliance with the GDPR.
In this blog, we provide an overview of the main rules concerning cross-border data transfer under the GDPR and describe how you can ensure that your cross-border data transfer is GDPR compliant.
International transfer of data under the GDPR
Chapter 5 of the GDPR provides the specific rules that apply to transfer of personal data to countries outside the EU (the so-called “third countries”). These rules aim to ensure that the same level of protection applies to the data regardless of whether the data is being processed or stored in the EU or outside the EU. As a main rule, transfer of personal data to a third country can only take place if the requirements in Chapter 5 are fulfilled. This chapter provides a number of different ways in which personal data can be transferred to a third country, each with their own specific requirements. Chapter 5 also specifies the obligations of the company or organisation that transfers the data (the so-called “data exporter”).
Since personal data can only be transferred if the specific requirements are fulfilled, it is necessary that data exporters are aware the applicable requirements and ensure that their international data transfers are GDPR-compliant. Chapter 5 of the GDPR provides several ways to lawfully transfer personal data. These can be divided in two categories: data transfers on the basis of an adequacy decision and, in absence of an adequacy decision, data transfers on the basis of appropriate safeguards.
Data transfer on the basis of an adequacy decision?
Article 45 of the GDPR permits the transfer of personal data to those countries which the EU considers to provide an adequate level of protection. In practice, the EU assesses the level of data protection in these countries and if an adequate level of protection is offered, then the EU adopts a so-called “adequacy decision” concerning the country or territory. There is therefore no requirement for a specific authorisation when transferring data to these countries.
The EU has currently issued adequacy decisions concerning 15 countries and territories, including Argentina, Canada (partial), Japan, Korea and the UK. On 13 December 2022, the EU also published a draft adequacy decision regarding the United States, which needs to be adopted before it can enter into force.
Data transfer to a country without an adequacy decision?
Data can still be transferred to a third country that is not subject to an adequacy decision. According to article 46 of the GDPR, such transfers may still take place if the following two conditions are met:
- appropriate safeguards must be provided for
- the data subjects must be able to enforce their rights and have access to effective legal remedies
How these conditions should specifically be met depends on whether there is a specific authorisation from the competent authority or not. If an authorisation is obtained from the competent authority, then the two conditions (appropriate safeguards and access to legal remedies) can be met by means of contractual arrangements between the EU-based data exporter and the third country data importer. If no authorisation is obtained from the competent authority, then the two conditions can still be met in other ways.
The personal data can for example be transferred on the basis of contractual arrangements between the EU data exporter and the data importer in the third country. Here, the parties can make use of standard clauses which have been issued by the EU Commission. If the data sharing occurs between companies engaged in a joint economic activity, then the personal data can be transferred on the basis of so-called “binding corporate rules”.
The transfer can also take place on the basis of adherence to an approved code of conduct, for example a code adopted by a trade association, or through the use of a certification mechanism which demonstrates that the data processing activities are GDPR-compliant.
If the data transfer occurs on the basis of a code of conduct or through the use of a certification mechanism, then it is important that the EU-based data importer also obtains binding and enforceable commitments from the data importer in the third country that it will apply the appropriate safeguards.
Finally, if there is no applicable adequacy decision and the appropriate safeguards cannot be provided through the abovementioned means, then the data transfer could potentially still take place on the basis of the special exceptions. This can for example be through the data subject’s explicit and informed consent or if the transfer is necessary for the performance of a contract with the data subject.
Final thoughts
Companies and organisations that transfer personal data to countries outside the EU should ensure that they meet their obligations under the GDPR – both in their capacity as a data processor or controller, but in particular also in their capacity as a data exporter.
The GDPR provides a number of different ways whereby companies and organisation can lawfully transfer data to parties based outside the EU. It is therefore important that companies and organisations determine and use the appropriate basis for their data transfers and ensure their continued compliance with the applicable requirements.
If you have any questions or would like to hear more on this, please reach out to our GDPR team: