GDPR Third Countries

GDPR Third Countries

In view of international trade and cooperation, it is essential these days to be able to also transmit data to third countries. Examining the legitimacy of such a transfer is done in two stages.

First, the data transfer itself must be legal. Any processing of personal data is prohibited but subjected to the possibility of authorisation. In addition to consent, Art. 6 of the General Data Protection Regulation (GDPR) sets forth further authorisation reasons, such as fulfilling a contract or protecting vital interests. For special personal data which requires a higher level of protection, the Art. 9 of the GDPR provides separate legal requirements.

If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. One must differentiate between secure and unsecure third countries. Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law. At the time that the General Data Protection Regulation became applicable, the third countries which ensure an adequate level of protection were: Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and USA (if the recipient belongs to the Privacy Shield). Data transfer to these countries is expressly permitted.

If there is no adequacy decision for a country, this does not necessarily foreclose any data transfer to this country. Rather, the controller must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard contractual clauses, for data transfers within a Group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.

Furthermore, there are several exceptions which legitimise data transfer to a third country, even if the protection of personal data cannot be sufficiently assured. Most frequently, the consent of the data subject is relevant here. At the same time, one must particularly note the requirements for such a consent to be freely given. Further exceptions, such as transmitting to fulfil contracts, important reasons of public interest and the assertion of legal rights are usually less relevant in practice.

Especially from an economic point of view, data transfers between the United States and the European Union are of utmost importance. The European Commission recognised this at an early stage and was keen on securing the flow of personal data through a unique arrangement. However, from a data protection point of view, the so-called Safe Harbour agreement between the two parties has always been questionable and was declared invalid by the European Court of Justice in the wake of the Snowden revelations (Schrems vs. Data Protection Commissioner). Since then it has been replaced by another unique framework, the Privacy Shield, which should provide a stricter set of ground rules for data transfer from the EU to the US. However, many points criticized by the Court during the Schrems ruling still persist in the new arrangement. Therefore, the Privacy Shield is currently under high scrutiny by the European Data Protection Authorities.

Suitable GDPR articles

Art. 40 GDPR Codes of conduct Art. 42 GDPR Certification Art. 44 GDPR General principle for transfers Art. 45 GDPR Transfers on the basis of an adequacy decision Art. 46 GDPR Transfers subject to appropriate safeguards Art. 47 GDPR Binding corporate rules Art. 48 GDPR Transfers or disclosures not authorised by Union law Art. 49 GDPR Derogations for specific situations Art. 63 GDPR Consistency mechanism

Suitable Recitals

(101) General Principles for International Data Transfers (102) International Agreements for an Appropriate Level of Data Protection (103) Appropriate Level of Data Protection Based on an Adequacy Decision (104) Criteria for an Adequacy Decision (105) Consideration of International Agreements for an Adequacy Decision (106) Monitoring and Periodic Review of the Level of Data Protection (107) Amendment, Revocation and Suspension of Adequacy Decisions (108) Appropriate Safeguards (109) Standard Data Protection Clauses (110) Binding Corporate Rules (111) Exceptions for Certain Cases of International Transfers (112) Data Transfers due to Important Reasons of Public Interest (113) Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects (114) Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision (115) Rules in Third Countries Contrary to the Regulation

External Links

 

Authorities

Data Protection Authority UK ► International transfers

Data Protection Authority Ireland ► Cross-border processing and the one stop shop

Data Protection Authority Isle of Man ► Transfers to third countries

Article 29 Data Protection Working Party ► WP244 – Guidelines on the Lead Supervisory Authority

Article 29 Data Protection Working Party ► WP245 – EU-US Privacy Shield F.A.Q. for European Businesses

European Commission ► Data transfers outside the EU

European Commission ► Withdrawal of the United Kingdom from the Union and EU – Rules in the field of data protection

EU publications ► Handbook on European data protection law – Personal data transfers to third countries/non-parties or to international organisations, page 253

 

Expert contribution

IAPP ► Top 10 operational impacts of the GDPR: Part 4 – Cross-border data transfers

A&L Goodbody ► The GDPR: A Guide for Businesses – International Data Transfers, Page 29

Oxford University Press ► Commentary on the EU General Data Protection Regulation (GDPR) – Transfers subject to appropriate safeguards, Page 108

 

For more information, see here:  https://gdpr-info.eu/issues/third-countries/

 

These materials were obtained directly from the International Government public websites and public websites and are posted here for your review and reference only.  No Claim to Original International Government Works or public websites.  These may not be the most recent versions.  The International Governments and public websties may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.

These materials were obtained directly from the U.S. Federal Government public websites, U.S. State Government public websites, or the International Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works, Original U.S. State Government Works, or Original International Government Works. This information may not be the most recent version. The U.S. Government, U.S. States, or International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.