International data transfers are unavoidable for most of the businesses and organisations in today’s digital world. The GDPR takes a balanced approach between the necessity of cross-border data flows for the purposes of international trade and the level of protection provided to natural persons. Although the Regulation allows the free flow of personal data between Member States, it restricts data transfers to countries outside the European Economic Area (EEA).
As providers of GDPR compliance software, Privacy Perfect is committed to helping organisations maker safe and legal data transfers. This blogpost series will be your guide to understanding international data transfers under the GDPR. International data transfer mechanisms, the current US approach, binding corporate rules and standard contractual clauses will be explained throughout our international data transfers blogpost series.
Chapter 5 of the GDPR regulates international data transfers. If your organisation wants to transfer personal data outside the European Economic Area, certain criteria must be fulfilled by your organisation. In order to be allowed to transfer data internationally, either:
- an adequate level of protection must be provided by the jurisdiction to which you want to make the transfer,
- appropriate safeguards must be taken by your organisation, or,
- one or more of the derogations under Article 49 must be applicable to your organisation.
Below, we briefly elaborate on these threeoptions:
An international transfer can take place if all involved jurisdictions involved have an adequacy decision in place (article 45 GDPR). If the European Commission has decided that a third country or specified sectors within that country ensure an adequate level of protection, such a transfer does not require any specific authorisation. So far the Commission has recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay as providing adequate protection. For the United States, the EU-U.S. Privacy Shield framework regulates data transfers between the US and EU.
Alternatively, your organisation, being either a data controller or a processor, has to provide appropriate safeguards for the data transfer (Article 46 GDPR). This can be in the form of:
- a legally binding and enforceable instrument between public authorities,
- binding corporate rules,
- model contractual clauses adopted by the Commission or a supervisory authority and approved by the Commission,
- an approved code of conduct, or
- an approved certification mechanism.
Finally, if none of the above mechanisms can be used by your organisation, the derogations under Article 49 might legitimise your transfer. These derogations are:
- the data subject has given their explicit consent,
- necessary for the performance of a contract,
- necessary for the public interest,
- necessary for legal claims,
- necessary for the vital interests of the data subject,
- the transfer is made from a register which is intended to provide information to the public.
To sum up, GDPR restricts international data transfers in order to protect personal data of EU residents. However, it also considers the need of international data transfers for global trade and communication and takes a balanced approach. Several routes to legitimise international data transfers can be found in the GDPR itself. You need check the above mentioned mechanisms and see if they are applicable to your cross border transfer. These mechanisms will be explained in detail in the next blog posts in this series.