The rapid development in new technologies and their speedy integration in the business model has changed the way businesses operate, making it convenient and cost-effective to process, exchange or even store personal data, in different locations.
However, the legal implications involved when storing or transferring personal data elsewhere tend to be overlooked. The General Data Protection Regulation (GDPR) contains a specific chapter on data transfers. In a nutshell, transfers to non-EU jurisdictions with insufficient or lack of data protection legislation and remedies, will result in a lower level of data protection, unless adequate safeguards are in place.
What happens with the GDPR?
In the General Data Protection Regulation (GDPR), EU lawmakers attempt to address this phenomenon by having clearer, more prescriptive and harmonized rules for non-EU transfers. In addition, the GDPR also aims to protect EU citizens’ data by applying a wider territorial scope when compared to the current EU data protection framework. In fact, non-EU entities offering goods or services, or monitoring the behaviour of individuals based in the EU, will also be subject to the GDPR.
Transfers within the EU
For intra-EU transfers, no additional measures would be required with regards to the direct applicability of the GDPR. Nevertheless, where a controller engages a service provider acting as processor, the relationship needs to be governed by a contract and is subject to the minimum criteria laid down under the GDPR in these circumstances. You can learn more about responsible bodies according to the GDPR in the article EU GDPR controller vs. processor – What are the differences?
Steps for non-EU data transfers
In the case of non-EU data transfers, the law lays down specific situations when such transfers may be carried out. Organisations will need to consider whether there is an adequacy decision of the EU Commission and if not, provide additional guarantees by means of contractual agreements. To find out why GDPR is not reserved only for EU countries, check the article What is the EU GDPR and why is it applicable to the whole world?
1) Is there an adequacy decision by the EU Commission?
The EU Commission may issue favourable decisions concerning the level of data protection in a non-EU country or even specified sectors, such as, for example, the EU-US privacy shield. These decisions are based on a thorough assessment of the data protection adequacy in the third country, and on the principle that such country provides sufficient guarantees which are essentially equivalent to those in the EU. An adequacy decision removes any barrier for data transfers to such jurisdictions or sectors.
An updated list of adequacy decisions under the current framework is available on the EU Commision’s website.
2) Transfers subject to appropriate safeguards
In the absence of an adequacy decision, EU entities should consider one of the following options:
Standard Contractual Clauses. They are model contracts adopted by the EU Commission with the aim of facilitating EU controllers in providing sufficient guarantees when transferring personal data to a non-EU controller or processor. Under the GDPR, Supervisory Authorities may also adopt standard clauses. These clauses, however, would require the approval of the Commission.
This tool is already available under the current legal framework, and will remain valid until amended or reviewed by the Commission. EU data controllers typically use these standard clauses either as ad-hoc contracts or as part of a wider Service-Level or business related agreements, both with other intra-group entities, or with external organisations based outside EU.
Binding Corporate Rules (BCR). There is a set of internal rules defined by multinational organisations to regulate the transfer and subsequent processing of personal data within group entities including those located outside of EU territory. The significant advantage of BCRs, when compared to Standard Contractual Clauses, is that approval is obtained once from the Supervisory Authority leading the authorisation process. In turn, this implies the adequacy of the data protection framework adopted by a multinational. This will enable all future intra-group transfers irrespective of the jurisdiction, and without any additional formalities.
The Article 29 (Working Party), composed of EU Supervisory Authorities, has issued specific guidelines to assist multinationals in ensuring that the rules contain essential data protection principles, but also effective and binding mechanisms necessary to guarantee an adequate level of data protection.
Additional safeguards. Certification mechanisms and codes of conduct, which are both novelties introduced by the GDPR, may also serve as an adequacy instrument for data transfers in future.
3) Exemptions for data transfers
In the absence of an adequacy decision or appropriate safeguards, the GDPR still provides some exemptions whereby a transfer can be made. These exemptions include data transfers that are:
- effected with the data subject’s explicit consent
- necessary for the performance or conclusion of a contract involving the data subject
- based on important reasons of public interest
- necessary to establish, exercise, or defend legal claims
- necessary for vital interests of the data subject or other persons
- made from a register intended to provide information to the public, subject to conditions laid down by Union or Member State law.
Next steps for your organisation
Primarily, organisations should identify those processes that involves non-EU data transfers. In the absence of an adequacy decision, they would need to consider and provide for appropriate safeguards (Standard Contractual Clauses or BCRs). The usefulness of certification schemes and codes of conduct as possible transfer legitimisation instruments should not be underestimated. While derogations are also a possible option, these are considered the exception to the rule and should be utilised in limited circumstances (e.g. one-off or urgent transfers) when it is not possible to resort to other safeguards.