GDPR: Transferring data outside of the European Union

The General Data Protection Regulation (“GDPR”) requires a data controller to implement safeguards to protect the personal data of residents in the European Union (“EU”). When an organization transfers data outside of the EU, it must follow the requirements of the GDPR. The reasoning for GDPR putting restrictions on data transfers is to help ensure that the data of EU residents is protected at the same level as afforded in the EU if the data is transmitted. In other words, they want to extend the high-levels of protection of EU consumers, beyond just the borders of the EU.

In this guide, we will explain:

• What are the data transferring requirements of the GDPR: General Data Protection Regulation?
• What is an adequacy decision under the GDPR?
• What are appropriate safeguards under the GDPR?
• What are binding corporate rules under the GDPR?
• What other rules apply to transferring data outside the EU?

What are the data transferring requirements of the GDPR: General Data Protection Regulation?

Organizations that transfer data outside of the EU must follow certain restrictions under the GDPR. Chapter 5, which is named “Transfers of personal data to third countries or international organisations,” sets the standards for transfers of personal data to third countries or international organizations with articles 44-50. The articles are:

• Article 44 – General principle for transfers
• Article 45 – Transfers on the basis of an adequacy decision
• Article 46 – Transfers subject to appropriate safeguards
• Article 47 – Binding corporate rules
• Article 48 – Transfers or disclosures not authorized by Union law
• Article 49 – Derogations for specific situations
• Article 50 – International cooperation for the protection of personal data

Article 44 states that: “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization” may take place only if:

• The conditions laid down in Chapter 5 are complied with by the controller and processor (subject to the other provisions of the GDPR).
• The conditions include onward transfers of personal data from the third country or an international organization to another third country or to another international organization.
• All provisions must be applied to ensure that the level of protection of natural persons guaranteed is not undermined.

Transfer of personal data to “third countries” is when a controller or processor makes personal data available to someone outside the EU and European Economic Area (“EEA”). The GDPR evaluates the legitimacy of a data transfer in two stages:

1. The data transfer itself must be legal.
2. The data transfer to the third country is permitted.

What is an adequacy decision under the GDPR?

Article 45 explains that an organization must ensure an adequate level of protection when transferring personal data to a third country or an international organization. The European Commission (“EC”) provides a list of secure third countries that have “a suitable level of data protection on the basis of an adequacy decision.” Data transfer to these countries is expressly permitted because they have national laws that provide a level of protection for personal data that is comparable to those in the EU.

If there is no adequacy decision for a country, the organization must assure the EU in another way that the personal data will be sufficiently protected by the recipient. The controller may use:

• Standard contractual clauses
• Binding corporate rules for data transfers within a group
• A commitment to comply with codes of conduct that the EC declares applicable
• A certification of the data processing procedure

There are several exceptions which legitimize a data transfer to a third country without sufficient assurance. This includes:

• Consent of the data subject
• Transmitting to fulfill contracts
• Important reasons of public interest
• Assertion of legal rights

What are appropriate safeguards under the GDPR?

Article 46 applies in the absence of an adequacy decision pursuant to Article 45(3). This allows “a controller or processor to transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”

The appropriate safeguards may be provided without requiring any specific authorization from a supervisory authority. These safeguards include:

1. A legally binding and enforceable instrument between public authorities or bodies;
2. Binding corporate rules in accordance with Article 47;
3. Standard data protection clauses adopted by the EC in accordance with the examination procedure in Article 93(2);
4. Standard data protection clauses adopted by a supervisory authority and approved by the EC pursuant to the examination procedure referred to in Article 93(2);
5. An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
6. An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

Safeguards may be also used that require authorization from the competent supervisory authority. These appropriate safeguards include:

1. Contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization; or
2. Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

What are binding corporate rules under the GDPR?

Article 47 explains the use of binding corporate rules, which must be approved by a competent supervisory authority. The rules must be:

1. Legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
2. Expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
3. Fulfill the 14 requirements (listed below) in section 47(2).

Binding corporate rules must include the following information:

1. The structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
2. The data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
3. Their legally binding nature, both internally and externally;
4. The application of the general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
5. The rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
6. The acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
7. How the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
8. The tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
9. The complaint procedures;
10. The mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
11. The mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
12. The cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
13. The mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
14. The appropriate data protection training to personnel having permanent or regular access to personal data.

What other rules apply to transferring data outside the EU?

Article 48 applies to transfers or disclosures not authorized by the EU. Article 48 states that “any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer” under Chapter 5.

Article 49 applies to derogations for specific situations. Article 49 sets conditions for a transfer (or set of transfers) of personal data to a third country or an international organization “in the absence of an adequacy decision pursuant to Article 45(3) or of appropriate safeguards pursuant to Article 46, including binding corporate rules.” A transfer may take place only if:

1. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
2. The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
4. The transfer is necessary for important reasons of public interest;
5. The transfer is necessary for the establishment, exercise or defence of legal claims;
6. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
7. The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. 

Article 50 explains the international cooperation for the protection of personal data. In relation to third countries and international organizations, the EC and supervisory authorities must take appropriate steps to:

1. Develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
2. Provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
3. Engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
4. Promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

If you are a controller that transfers personal data of EU residents, your website needs a Privacy Policy that explains how you process personal data and whether you transfer that data outside of the European Union. Termageddon’s Privacy Policy generator helps you comply with the GDPR and avoid fines.