International data transfers play a vital role for data driven businesses and organisations. As processes have become but a few clicks away and the digital world continues advancing, organisations must take the appropriate measures to ensure protection over their data and the data subjects. The EU’s GDPR aims to protect personal data, and provides strict obligations and standards that every organisation should take when dealing with international data transfers. Below are key points for organisations to consider upon doing international data transfers from and to the EU.
International data transfers are regulated within chapter 5 of the GDPR. If an organisation transfers personal data outside the EU or the European Economic Area (EEA), certain criteria must be met. For an organisation to receive a green light for transferring data internationally, the organisation should have either:
• A sufficient level of protection that must be provided by the jurisdiction to which the organisation wants to make the transfer.
• A suitable safeguards that are taken by the organisation
• One or more of the derogation under Article 49 that are applicable to the organisation
How can one carry out an international transfer?
According to article 45 of the GDPR, an international transfer can be done if all involved jurisdictions have an adequacy decision. To add to that, if in any case the European Commission decides that a third country or even specific sectors within that country ensures a secure level of protection, the transfer might not need any specific authorisation. If in any case you notice that there is not much of an adequate decision on your organisation’s plans for this data transfer, you would identify the appropriate safeguards that you have in place. This would then ensure a stronger stance on the legitimation of your data transfer.
Article 46(2) of the GDPR provides you with several mechanisms that your organisation can put out as a safeguard:
• A legally binding & enforceable instrument between public authorities or bodies (Article 46(2)(a))
• Binding Corporate Rules (Article 46(2)(b))
• Standard data protection clauses adopted by the Commission (Article Art 46(2)(c))
• Standard data protection clauses adopted by the supervisory authority and approved by the Commission (Article 46(2)(d))
• An approved code of conduct and certification mechanism (Article 46(2)(e),(f)).
Is there a back-up plan?
What if none of the mechanisms above applied for you? As someone who pulls all the strings within the legal world of your organisation, you would then go for Article 49 as a back-up. Article 49 of the GDPR provides a set of derogations that may still legitimise that transfer.
These derogations are that if:
• The data subject has given their explicit consent
• It is necessary for the performance of a contract
• It is necessary for the public interest
• It is necessary for legal claims
• It is necessary for the vital interests of the data subject(s)
• The transfer is made from a register which intends to provide information to the public.
Keeping the balance in mind
The GDPR consists of certain obligations that make data transfers from and to the EU a thing that requires precaution. It is a combination of the intention of protecting the personal data of EU residents and stamping an emphasis on the importance of international data transfers for communications and trade between countries. This balance of the two factors is something that organisations will always need to keep in mind.