For many businesses, the international transfer of data is a critical part of day-to-day operations. The General Data Protection Regulation (GDPR) protects individuals’ personal data in this regard, meaning organisations cannot transfer personal data outside the European Economic Area (EEA) unless certain safeguards are in place. We explain below the permitted transfer mechanisms:
Is it an international data transfer?
First, you need to identify whether you are transferring personal data out of the European Economic Area (EEA). A “transfer” takes place where personal data is processed during or after the transfer to a third country. The impact of Brexit and data transfers is considered in our article GDPR and Data Transfers in the event of ‘No-Deal’ Brexit.
If personal data merely passes through a non-EEA country this is simply a “transit” of data, and is not within scope.
Here are some examples of personal data transfers out of the EEA:
- Emailing an employee list from Ireland to headquarters in the US;
- Using storage or hosting facilities in South Africa;
- Outsourcing of Irish employee’s payroll to India.
The European Commission (EC) considers certain countries to provide an adequate level of data protection to EU data subjects. If you are transferring personal data to an “adequate” country then you can do this without putting further safeguards in place. The list currently includes Canada, Israel, New Zealand and Switzerland. The full list is under frequent revision and can be found on the EC’s website.
EU-US Privacy Shield
At present, personal data transfers are permitted to the USA under the EU-US Privacy Shield framework, which replaced the Safe Harbor transfer mechanism. The Privacy Shield is based on self-certification by companies. It allows companies to self-certify their compliance with data protection standards that have been found to provide an equivalent level of protection to the EU.
A list of companies who have self-certified can be found on the Privacy Shield website. If the company is on the list, at present, the transfer can take place without further safeguards.
Note: The future of the Privacy Shield mechanism is in doubt due to the fact that its effectiveness is currently being challenged. US and European companies that rely solely on Privacy Shield to comply with GDPR need to keep this under review.
Safeguards for “non-adequate” countries
Below is a snapshot of some of the other options for transferring personal data to countries without an adequacy decision:
Standard Contractual Clauses (SCCs)
SCCs are model contracts approved by the European Commission. They are the most popular mechanism for transferring personal data and are available to download on the, EC’s website. There are currently two sets of SCCs, one for controller-to-controller transfers and one for controller-to-processor transfers.
Note: The SCCs are currently being challenged before the European Courts and so it is possible that they will be changed or revoked in the near future.
Binding Corporate Rules (BCRs)
BCRs are intended to be used by large multinationals to allow for intergroup transfers of personal data. BCRs must be approved by the supervising data protection authority and then signed up to by each subsidiary that is undertaking data transfers. They tend to have limited use because they cannot be used for data transfers to third parties and due to the prior approval requirement.
While SSCs and BCRs are the main safeguards for international data transfers, GDPR does contain others. These include:
- An approved code of conduct or certification mechanism: approved by the relevant supervisory authority together with binding and enforceable commitments from both parties;
- Ad-hoc contracts approved by the relevant supervisory authority;
- Administrative arrangements made between public authorities (i.e. a memo of understanding) approved by the relevant supervisory authority.
GDPR provides for limited derogations from the general restriction on international data transfers. These exceptions should be used narrowly and as a last resort after other transfer mechanisms have been considered. The European Data Protection Board guidance should also always be consulted. Consent, in particular, should be approached with care as it is a complex legal basis and consent can be withdrawn at any time. Examples of derogations include:
- Individual consent: The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards;
- Necessity for performance of a contract or the exercise of legal claims.