Overseas transfer of personal data

News / / Hamburg, Overseas transfer of personal data, Overseas transfer of personal data, Piraeus

Transfers of personal data overseas requires careful consideration of the adequacy of the data protection safeguards in the overseas territory and the international organisation data is being transferred to. 

For the purposes of the GDPR, a non-EU country is treated as a “third country” and transfers of personal data to third countries are permitted only if appropriate safeguards are in place or if an adequacy decision has been made by the EU Commission.

Appropriate safeguards may be provided by:

>  Standard data protection model clauses

>  Binding corporate rules which are legally binding data protection rules approved by a competent data protection authority which apply within a corporate group

>  Approved codes of conduct together with binding and enforceable commitments of the controller or processor in the third country

>  Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country

Where appropriate safeguards are absent, or there has been no adequacy decision made by the EU Commission in respect of the personal data transfer to a third country, the GDPR will permit transfers on the basis of “derogations” where: consent has been obtained; performance of a contract is necessary; transfer is necessary for the exercise of legal claims; or is required for public interest reasons.

Although the appropriate safeguard requirements may initially appear onerous, the derogations accept that international data transfers are a vital business need and the GDPR has sought to reduce bureaucracy by removing the requirement for specific authorisation for data transfers when approved standard data protection clauses are used or binding corporate rules have been pre-approved.

Adequacy decisions of the EU Commission allow businesses to transfer personal data from an EU Member State to third countries without having to satisfy themselves that adequate safeguards are in place for each transfer. The adequacy assessment is based on a test set by the Court of Justice of the European Union (CJEU) in Schrems which ascertains whether the data protection standards in a third country are “essentially equivalent” to those applied in the EU (Maxmillian Schrems v Data Protection Commissioner (C–362/14), Grand Chamber, 6 October 2015).

The Commission has adopted 12 adequacy decisions in respect of the following countries:

>  Andorra

>  Argentina

>  Canada – limited to transfers to commercial organisations who are subject to the Canadian Personal Information Protection and Electronic Documents Act

>  The Faroe Islands

>  Guernsey

>  Israel

>  Isle of Man

>  Jersey

>  New Zealand

>  Switzerland

>  Uruguay

>  US – for certified companies

The partial adequacy decision for the US is in the form of the EU-US Privacy Shield, which only applies to transfers to US companies that have self-certified as having met the standards set out in the Privacy Shield framework.

Many countries outside the EU are now looking at how they can obtain EU adequacy recognition to allow greater freedom in the access and transfer of EU personal data. South Korea has one of the strictest privacy regimes in the world but until they have an EU adequacy ruling they must seek explicit consent for data transfers where the appropriate safeguards are not in place.

Although the UK is exiting the EU, the UK’s Data Protection Bill will set out the UK’s post-Brexit data protection position and will be aligned with the GDPR. It is expected that the EU will grant an adequacy ruling in respect of data transfers between the EU and UK to govern the free flow of personal data between the UK and EU.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500