Europe map
Europe

Cross-border data transfers

As a general rule, transfers of personal data to countries outside the European Economic Area may take place if these countries are deemed to ensure an adequate level of data protection.

Article 45 GDPR provides that the third countries’ level of personal data protection is assessed by the European Commission. According to the GDPR, the Commission’s adequacy decision may be limited also to specific territories or to more specific sectors within a country. A current list of countries that have been evaluated as having an adequate level of data protection can be found here.

The GDPR envisages that the European Commission would review its adequacy decisions at least every four years. Such a decision can be repealed, amended or suspended without retro-active effect.

"Network" by geralt via Pixabay “Network” by geralt via Pixabay

There are, however, some exceptions to the general rule found in Article 46(1) GDPR. Personal data can be transferred to a third country even in the absence of an adequacy decision:

(i) if the controller or processor exporting the data has himself provided for appropriate safeguards; and

(ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.

The appropriate safeguards can be laid down in the following most relevant instruments:

  • Binding corporate rules which are internal codes of conduct adopted by multinational groups of undertakings, as discussed in step 4.9, and allow transfers between different entities of the group;
  • Standard contractual clauses adopted by the European Commission or by a national supervisory authority and approved by the European Commission;
  • Other ad hoc contractual clauses agreed between the data exporter and the data importer which can be deemed to be appropriate if have been submitted and authorized by the competent national supervisory authority.

In the absence of an adequacy decision or of appropriate safeguards as listed above, a cross-border transfer may still take place exceptionally in one of the specific situations listed in Article 49.

Share this article:

This article is from the free online course:

Understanding the General Data Protection Regulation

University of Groningen