What steps can you take now to prepare for the new GDPR rules on cross-border data transfers?

Our 'Get ready for GDPR' updates are designed to outline what you can do now to prepare for compliance with GDPR, which comes into force on 25 May 2018. If you would like us to notify you when new updates are available, please sign up for email alerts.

Cross-border data transfers: what you need to know

Does your organisation transfer personal data outside of the European Economic Area? (eg online and cloud services)? Do you have suppliers or storage systems which may transfer data internationally? If so, you need to ensure that you comply with the data transfer regulations under GDPR.

The current Data Protection Directive imposes restrictions on data transfers. GDPR will also restrict transfers of personal data to third countries (i.e. outside of the EEA) which could impact organisations that operate internationally.

This article outlines the circumstances in which data transfers will be permitted, changes introduced in GDPR and what you can do now to prepare for compliance.

Each transfer of personal data that is not GDPR-compliant could result in a fine of up to 4% of your organisation's worldwide annual turnover.

When are cross-border data transfers permitted?

Both the current Data Protection Directive and GDPR allow the transfer of personal data under certain circumstances.

Recipient country is declared 'adequate'

Currently, data transfers are allowed to a third country if the European Commission decides it has 'adequate' safeguards for personal data protection. GDPR goes further, allowing transfers to individual territories or sectors within a third country if they have been deemed adequate.

Standard contractual clauses

Transfers are permitted if there are standard contractual clauses adopted by the European Commision or a supervisory authority (and approved by the Commission), or authorised by a supervisory authority.

Binding Coprorate Rules (BCRs)

BCRs allow various legal entities within a corporation (eg a multinational) to transfer personal data. BCRs can also be used by a group of enterprises engaging in a joint economic activity. Under GDPR, BCRs will need to be approved by a supervisory authority according to rules laid out in GDPR's consistency mechanism.

Codes of conduct and certification schemes

Under GDPR, transfers are permitted under codes of conduct and certification schemes drawn up by industry associations or representative bodies. These must be approved by a supervisory authority.

Ad hoc safeguards

Ad hoc data protection safeguards may also be agreed if they are approved by the relevant supervisory authority.

Specific derogations

Like its predecessor, GDPR will also include specific exemptions for data transfers which apply when:

  • the data subject explicity consents to the transfer (and is aware of the risks)
  • the transfer is needed for the performance of a contract
  • the transfer is deemed necessary for reasons of public interest
  • the transfer is necessary in relation to a legal claim
  • the transfer is necessary to protect the data subject's vital interests (eg their life)
  • the transfer is made from a public register established by law in the European Union or a member state
  • the transfer is necessary for the 'legitimate interests' of the data controller. These interests must not supersede the rights of the data subject. The data controller must asses all circumstances of the transfer and provide reasonable safeguards to protect the personal data.