Skip main navigation

Cross-border data transfers

This article explains cross-border data transfers.
Europe map
© University of Groningen

As a general rule, transfers of personal data to countries outside the European Economic Area may take place if these countries are deemed to ensure an adequate level of data protection.

Article 45 GDPR provides that the third countries’ level of personal data protection is assessed by the European Commission. According to the GDPR, the Commission’s adequacy decision may be limited also to specific territories or to more specific sectors within a country. The countries that have been evaluated thus far as having an adequate level of data protection can be found here.

The GDPR envisages that the European Commission would review its adequacy decisions at least every four years. Such a decision can be repealed, amended or suspended without retro-active effect.

"Network" by geralt via Pixabay “Network” by geralt via Pixabay

There are, however, some exceptions to the general rule found in Article 46(1) GDPR. Personal data can be transferred to a third country even in the absence of an adequacy decision:

(i) if the controller or processor exporting the data has himself provided for appropriate safeguards; and

(ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.

The appropriate safeguards can be laid down in the following most relevant instruments:

  • Binding corporate rules which are internal codes of conduct adopted by multinational groups of undertakings, as discussed in step 4.9, and allow transfers between different entities of the group;
  • Standard contractual clauses adopted by the European Commission or by a national supervisory authority and approved by the European Commission;
  • Other ad hoc contractual clauses agreed between the data exporter and the data importer which can be deemed to be appropriate if they have been submitted and authorized by the competent national supervisory authority.

In the absence of an adequacy decision or of appropriate safeguards as listed above, a cross-border transfer may still take place exceptionally in one of the specific situations listed in Article 49.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education