The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
In more detail…
When can personal data be transferred outside the European Union?
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
Transfers on the basis of a Commission decision
Transfers may be made where the Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection.
Transfers subject to appropriate safeguards
You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided for by:
a legally binding agreement between public authorities or bodies;
binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
standard data protection clauses in the form of template transfer clauses adopted by the Commission;
standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
compliance with an approved code of conduct approved by a supervisory authority;
certification under an approved certification mechanism as provided for in the GDPR;
contractual clauses agreed authorised by the competent supervisory authority; or
provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
Next steps for the Article 29 Working Party
According to its workplan, the Article 29 Working Party will publish guidelines on data transfers based on binding corporate rules and contractual clauses in 2017.
The GDPR limits your ability to transfer personal data outside the EU where this is based only on your own assessment of the adequacy of the protection afforded to the personal data.
Authorisations of transfers made by Member States or supervisory authorities and decisions of the Commission regarding adequate safeguards made under the Directive will remain valid/remain in force until amended, replaced or repealed.
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations. A transfer, or set of transfers, may be made where the transfer is:
made with the individual’s informed consent;
necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
necessary for the performance of a contract made in the interests of the individual between the controller and another person;
necessary for important reasons of public interest;
necessary for the establishment, exercise or defence of legal claims;
necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
The first three derogations are not available for the activities of public authorities in the exercise of their public powers.
What about one-off (or infrequent) transfers of personal data concerning only relatively few individuals?
Even where there is no Commission decision authorising transfers to the country in question, if it is not possible to demonstrate that individual’s rights are protected by adequate safeguards and none of the derogations apply, the GDPR provides that personal data may still be transferred outside the EU. However, such transfers are permitted only where the transfer:
is not being made by a public authority in the exercise of its public powers;
is not repetitive (similar transfers are not made on a regular basis);
involves data related to only a limited number of individuals;
is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual); and
is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.
In these cases, organisations are obliged to inform the relevant supervisory authority of the transfer and provide additional information to individuals.