Information security
Transfers of personal data to a third country
It may in some cases be permitted to transfer personal data to a third country, while it is prohibited in other cases. Companies that wish to transfer personal data to a third party must ensure that the transfer is legal before it takes place. The definition of a third country is a country outside the EU/EEA area.
Examples of transfers of personal data to third countries:
E-mail: When a person at a company sends a document to a person in a country outside the EU/EEA that contains personal data, such as name and phone number.
Cloud service: When a company who is the data controller stores its backup files of personal data on an online cloud service, whose company is located outside the EU/EEA area.
Transfer of personal data to the United States
The EU-US Privacy Shield was an agreement reached in 2016 between the EU and the US on the protection of personal data transferred between the EU and the US. In 2020, the CJEU annulled the “EU-US Privacy Shield” by the so-called Schrems II judgment. This meant that the Privacy Shield Agreement did not provide adequate protection under the GDPR for transfers of personal data to third countries. As a result, it was no longer allowed to support the transfer on the EU-US Privacy Shield. Following the Schrems II judgment, the EU and the US started to establish a new agreement, without the shortcomings identified by the judgment.
The European Commission then adopted a new adequacy decision for the United States in 2023. However, the receiving party must be subject to the new EU-U.S. Data Privacy Framework (DPF). In other words, the decision means that it is permissible to transfer personal data to the United States without taking any additional safeguards, if the recipient of the personal data is covered by the DPF.
Although the recipient in the United States is not covered by the DPF, the transfer of personal data may still be permitted. However, the company transferring the personal data must take appropriate safeguards in such cases.
Specific situations and exceptions
If the European Commission has not decided on an adequate level of protection, or on appropriate safeguards (such as binding corporate rules), a company may only transfer personal data to that third country if one of the conditions of Article 45 GDPR is not met. It is therefore necessary that there are applicable exceptions in specific situations in order for the transfer of personal data to a third country to be lawful. An example of an exception that makes such a transfer valid is if the data subject has given explicit consent to the transfer and the company has fulfilled the information requirement regarding the risks associated with the transfer.
Adequate level of protection
The European Commission can decide that a country has an adequate level of protection. Furthermore, such a decision may apply to a particular territory, such as a state in one country, instead of the whole country. In this case, companies that process personal data covered by the GDPR may transfer personal data there, without any specific permission or the adoption of any additional safeguards. Examples of additional safeguards to take when transferring to a third country that does not have an adequate level of protection are the EU standard contractual clauses (SCCs) or the establishment of binding corporate rules (BCRs).
Here you can see the list of countries with an adequate level of protection as decided by the European Commission.
Additional safeguards
If a third country does not have an adequate level of protection according to the European Commission, the company that wishes to transfer the personal data there needs to take additional safeguards. It can be done in different ways. For example, by establishing binding corporate rules (BCR). Another additional safeguard is to include standard contractual clauses (SCC) from the European Commission in its contract with the recipient in the third country. Another example of an additional safeguard is that the company can adhere to an approved code of conduct. Below you can read a brief summary of these additional safeguards.
Binding corporate rules (BCR)
A multinational group of companies, or several companies in different countries that jointly conduct an economic activity, may establish binding corporate rules to regulate its transfer of personal data to companies within its group that are located in a third country.
Binding corporate rules (BCR) are an example of an appropriate safeguard under Article 46(2)(b) of the GDPR, and they are further regulated in Article 47 of the GDPR.
The BCRs need to be approved by the responsible data protection authority, in order to be used as an additional appropriate safeguard. In addition, all other data protection authorities in the EU/EEA as well as the European Data Protection Board may issue an opinion prior to the authorisation.
Standard Contractual Clauses (SCC)
The European Commission has developed and approved Standard Contractual Clauses (SCCs) that companies can use when transferring personal data to a third country (i.e. a country outside the EU/EEA that does not have an adequate level of protection).
Please note that the European Commission may update the standard contractual clauses, which means that companies that use them also need to update the corresponding in their concluded contracts.
In short, the SCC regulates the transfer of personal data covered by the GDPR to a third country. The purpose of the agreement is to comply with the GDPR’s requirements for “protection measures” for third-country transfers (according to Article 46 GDPR).
Selection of the correct clauses when using the SCC
The standard contractual clauses contain provisions that apply to different types of situations. The structure is divided into different “modules”. The SCC consists of provisions linked to four modules. For example, for the transfer of personal data from one controller within the EU to another controller in a third country, or a processor in a third country. It is important to use the clauses of the SCC that suit the specific situation.
Codes of conduct or certification mechanisms
A code of conduct is a specific instruction within a particular industry on how the company should comply with GDPR. Among other things, they contain practical instructions. It is common for organizations representing a specific industry to create a code of conduct that companies can adhere to. One advantage is that it can help build better trust with customers.
XXX
XXX
XXX