When designing data processing activities, there is often a need to transfer the personal data to a third country (e.g. in order to carry out processing activities there). What should we do to transfer personal data to third countries lawfully?
The GDPR contains relatively detailed rules on the conditions under which personal data may be transferred to third countries (or international organizations), as stated in the Preamble to the GDPR (101): "Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation."
Third countries are essentially non-EEA countries. It follows that the transfer of data within the EU does not constitute a transfer of data to a third country (abroad), so special rules are not applicable.
What can be the legal basis for data transfers to third countries?
The GDPR’s rules regarding the transfer of personal data to third countries are built on one another. In the case of data transfers it is essential to go through these steps, until the controller finds the appropriate legal basis for data transfer.
1st Step: Data transfer based on an adequacy decision.
2nd Step: If the Commission has not adopted an adequacy decision regarding the host country, the data controller or data processor may only transfer personal data to a third country if the recipient data controller or data processor provides appropriate safeguards regarding the processing of personal data. Such appropriate safeguards may be, for example, without requiring any specific authorisation from a supervisory authority:
- the use of binding corporate rules (BCR);
- standard data protection clauses adopted by the Commission or standard data protection clauses adopted by a supervisory authority and approved by the Commission;
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights;
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
(Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to above may also be provided for, in particular, by: (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.)
3rd Step: In the absence of an adequacy decision or in the absence of appropriate safeguards, the GDPR provides for the possibility of derogation for special situations. In such cases, one of the following conditions may be met:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
4th Step: If data transfer cannot be based on an adequacy decision, there are no appropriate safeguards and none of the derogations for special situations are applicable, the data transfer to third countries may only take place if the transfer:
- is not repetitive;
- concerns only a limited number of data subjects;
- is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject; and
- the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regards to the protection of personal data.
In such cases, the data controller must inform the supervisory authority of the transfer of data. In addition to the general obligation to provide information, the data controller must also inform the data subject about the transfer of data and about the compelling legitimate interest of the controller.
Which countries are covered by adequacy decisions?
Currently, there are adequacy decisions in place for the following third countries:
- Faroe Islands
- Canada (not all data controllers are covered, you can find more information here)
- Isle of Man
- USA (Privacy Shield)
- New Zealand
(The relevant decisions of the Commission are available here.)
How does the application of the GDPR affect the previously adopted adequacy decisions?
The Regulation expressly addresses this issue and states that decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with the GDPR. (According to the news, the Commission will also review the adequacy decision for all 12 countries. WP29 just published a Working Document that “aims to provide guidance to the European Commission and the WP29 under the GDPR for the assessment of the level of data protection in third countries and international organizations by establishing the core data protection principles that have to be present in a third country legal framework or an international organization in order to ensure essential equivalence with the EU framework.”)
With regards to which countries may the Commission adopt an adequacy decision in the near future?
The next country for which the Commission may adopt an adequacy decision (even during Spring 2018) is Japan. Ms. Vĕra Jourová, EU Commissioner responsible for this area, announced that she would also start discussions with South Korea by the end of 2017 in order to make the necessary steps towards the adoption of an adequacy decision.
What happens to the United Kingdom after Brexit?
In the light of Brexit, it is also necessary to settle the transfer of data to the United Kingdom. Due to the tightness of economic links, it is of the utmost importance that data flow continues to be smooth. From the British side, the goal would be that the Commission recognizes the adequate level of protection in the United Kingdom in an adequacy decision. At the same time technical difficulties may arise, since such a decision can only be accepted for a third country, yet the United Kingdom cannot be regarded as such until the moment of Brexit. In January, the European Commission also drew attention to the need to create legitimate conditions for the transfer of data to the United Kingdom as a third country by all data controllers concerned.