Transfers of personal data to third countries

The transfer of personal data to recipients outside the EU is generally prohibited unless:

the third country in which the processing is taking or will be taking place is deemed to provide an adequate level of data protection;
the organisation exporting the data puts in pace appropriate safeguards; or
a GDPR derogation (or exemption) applies

Learn more about transfers to third countries here

Adequate level of data protection

A transfer of personal data to a third country or an international organisation may take place where the European Commission has decided that the third country or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. These countries are sometimes referred to as having been ‘white-listed’. The Privacy Shield is the framework that governs transfers between the EU and US.

Learn more about those (white-listed) countries with adequacy decisions here and more about the Privacy Shield here 

Appropriate safeguards

Where there is no adequacy decision on a destination country, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The safeguard for transfers within a group of undertakings is for the group to have a set of approved Binding Corporate Rules. If it’s not a group of undertakings then the transferring organisation must ensure that they incorporate the EC provided model clauses into their controller to processor contracts or controller to controller agreements.

Learn more about binding corporate rules here. Find the controller to controller model contracts here and the controller to processor model contracts here 

Derogations for specific situations

In the absence of an adequacy decision, or of appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on specific conditions. Application of the derogations should not be taken lightly or simplistically. Always consult your supervisory authority before applying any derogations.

If you transfer to countries outside the EU, when you maintain your processor contracts or data sharing agreements, GDPR365 will prompt you for a legal basis and then take you to the appropriate document to use i.e. either the GDPR365 template or to the EC site for Binding Corporate Rules or the model clauses.


The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

R
Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.