Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only. T&Cs apply

Find out more

Cross-border data transfers

This article explains cross-border data transfers.
Europe map
© by TheAndrasBarta via Pixabay

As a general rule, transfers of personal data to countries outside the European Economic Area may take place if these countries are deemed to ensure an adequate level of data protection.

Article 45 GDPR provides that the third countries’ level of personal data protection is assessed by the European Commission. According to the GDPR, the Commission’s adequacy decision may be limited also to specific territories or to more specific sectors within a country. The countries that have been evaluated thus far as having an adequate level of data protection can be found here.

The GDPR envisages that the European Commission would review its adequacy decisions at least every four years. Such a decision can be repealed, amended or suspended without retro-active effect.

"Network" by geralt via Pixabay “Network” by geralt via Pixabay

There are, however, some exceptions to the general rule found in Article 46(1) GDPR. Personal data can be transferred to a third country even in the absence of an adequacy decision:

(i) if the controller or processor exporting the data has himself provided for appropriate safeguards; and

(ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.

The appropriate safeguards can be laid down in the following most relevant instruments:

  • Binding corporate rules which are internal codes of conduct adopted by multinational groups of undertakings, as discussed in step 4.9, and allow transfers between different entities of the group;
  • Standard contractual clauses adopted by the European Commission or by a national supervisory authority and approved by the European Commission;
  • Other ad hoc contractual clauses agreed between the data exporter and the data importer which can be deemed to be appropriate if they have been submitted and authorized by the competent national supervisory authority.

In the absence of an adequacy decision or of appropriate safeguards as listed above, a cross-border transfer may still take place exceptionally in one of the specific situations listed in Article 49.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now