International data transfers are unavoidable for most of the businesses and organisations in today’s digital world. The GDPR takes a balanced approach between the necessity of cross-border data flows for the purposes of international trade and the level of protection provided to natural persons. Although the Regulation allows the free flow of personal data between Member States, it restricts data transfers to countries outside the European Economic Area (EEA).
Chapter 5 of the GDPR regulates international data transfers. If your organisation wants to transfer personal data outside the European Economic Area, certain criteria must be fulfilled by your organisation. In order to be allowed to transfer data internationally, either:
Below, we briefly elaborate on these threeoptions:
An international transfer can take place if all involved jurisdictions involved have an adequacy decision in place (article 45 GDPR). If the European Commission has decided that a third country or specified sectors within that country ensure an adequate level of protection, such a transfer does not require any specific authorisation. So far the Commission has recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay as providing adequate protection. For the United States, the EU-U.S. Privacy Shield framework regulates data transfers between the US and EU.
Alternatively, your organisation, being either a data controller or a processor, has to provide appropriate safeguards for the data transfer (Article 46 GDPR). This can be in the form of:
Finally, if none of the above mechanisms can be used by your organisation, the derogations under Article 49 might legitimise your transfer. These derogations are:
To sum up, GDPR restricts international data transfers in order to protect personal data of EU residents. However, it also considers the need of international data transfers for global trade and communication and takes a balanced approach. Several routes to legitimise international data transfers can be found in the GDPR itself. You need check the above mentioned mechanisms and see if they are applicable to your cross border transfer. These mechanisms will be explained in detail in the next blog posts in this series.