Guide to the cross-border transfer of personal data in the GDPR

Transfers within the EU

In cases of transfer of personal data within the EU, the GDPR does not impose any additional requirement with regard to the direct applicability of GDPR. Nevertheless, when a controller engages a processor, the relationship between data controller and data processor needs to be governed by an agreement and is subject to the minimum criteria laid down under the GDPR in these circumstances. The controller to processor agreement (Art. 28 GDPR) sets up the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

 

Non-EU Data Transfer: Steps for your GDPR compliance

In the case of non-EU data transfers, the GDPR foresees specific situations when such transfers may be carried out. In particular, organisations engaging in non-EU transfer of personal data will need to verify whether there is an adequacy
decision of the EU Commission and if not, provide additional guarantees by means of contractual agreements.

1st Step: Is there an adequacy decision by the EU Commission?

The EU Commission can issue a decision concerning the level of data protection in a non-EU country (e.g. EU-US Privacy Shield). These decisions are based on a thorough assessment on whether the third country has appropriate legal safeguards for data protection equivalent to those in the EU. The effect of the adequacy decision is to remove any barriers for data transfers from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further data protection requirement being necessary.

2nd Step: Transfers subject to appropriate safeguards

Where the third country is not covered by an adequacy decision, EU organisation should consider one of the following alternatives:

• Standard Contractual Clauses The European Commission can also adopt standard contractual clauses that facilitate EU controllers in providing sufficient safeguards on data protection when transferring personal data to a non-EU controller or processor. So far, the EU Commission has issued two sets of standard contractual clauses: data transfer from EU controller to non-EU or EEA controller and EU controller to non – EU or EEA processor. Data Protection Authorities may also adopt model clauses. These clauses, however, would require the approval of the Commission. Last but not least, the cross-border transfer may also take place on the basis of ad hoc contractual clauses negotiated between the data exporter and the data importer, which are subject
  to approval from the competent DPA.

• Binding Corporate Rules (BCRs) In case of transfer of personal data from one company entity to another company entity – regardless of the territory – the transfer of data takes place on the basis of Binding Corporate Rules (BRCs). Binding Corporate Rules are legally binding rules approved by the competent supervisor authority, which regulate the transfer and processing of personal data within members of a group of undertakings or group of enterprises engaged in a joint economic activity and their employees, including those located outside of EU territory. The advantage of the BCRs, compared to Standard Contractual Clauses, is that once the approval from the Data Protection Authorities is obtained, this enables all future intra-group transfers regardless of the territory, without any additional requirement.

• Additional safeguards In addition to the abovementioned options, the GDPR has introduced two alternative adequacy instruments for the transfer of data: the approved certification mechanism and the approved code of conduct. Both mechanisms allow for data transfer provided that binding and enforceable commitments are made from the data importer to apply the appropriate safeguards for data protection.

 

Exemptions for data transfers

There is a number of exemptions where transfer of personal data can take place in absence of the abovementioned transfer mechanisms.  These are limited circumstances and include cases when:   

• explicit consent is given by data subject;
• the transfer is necessary for the conclusion or performance of the contract;  
• there are important reasons of public interest;   
• it is necessary to establish, exercise or defend legal claims;    
• it is necessar for the vital interest of data subject or other persons;   
• it involves public register data;

In addition, the GDPR introduces a new and limited derogation for non-repetitive transfers involving a limited number of data subjects. In absence of other lawful basis, the transfer is permitted when it is necessary for the purpose of compelling legitimate interests of the data exporter which are not overridden by those of the data subject and where the exporter has adduced adequate safeguards for the transferred data. In these cases, the exporter must inform the relevant Data Protection Authority and the data subject about the transfer.

 

Conclusion

Data transfer compliance remains an important issue for organisations which business activities involves transfer of personal data in a third non-EU country. Given the severity of sanctions in case of breach of data protection rules (up to € 20 million or 4% of the annual global turnover), preparedness for the adoption of the right transfer mechanism is crucial. For this reason, as a first step, it is necessary to identify those processes that involve non-EU data transfers. In the absence of an adequacy decision, organisations would need to consider and provide for appropriate safeguards (Standard Contractual Clauses or BCRs). The convenience of certification schemes and codes of conduct as possible transfer mechanisms should not be underestimated. At the same time, derogations are possible under exceptional circumstances, only when appropriate safeguards are put in place.