To enforce the Regulation outside the bounds of the EU, the GDPR has a number of elements designed to control how organisations within the EU are able to transfer personal data internationally.
The term “third countries” is not defined in the GDPR but comes from the EU’s primary treaties in order to refer to countries that are not party to those treaties. It is a common term in EU law and is normally taken to refer to any country that is not part of an organisation that is to be held under that law – so, because the GDPR applies as law to the EU and EEA, “third countries” refers to those countries that are not Member States of the EU or EEA. It is not separately defined in the GDPR, but it is safe to assume that the same definition applies. Given that the Council of Europe includes 17 distinct groups such as the EU, EEA, Eurozone and the EFTA, with a complex set of overlaps, it is critical to understand who “in Europe” you are allowed to send information to, and what rules need to be in place to do so.
For ease of reference, the EU and EEA countries are shown in Table 2.
Table 2: EU and EEA Country List
The United Kingdom voted in a referendum in 2016 to leave the EU. Once it has done that, it will no longer automatically meet the adequacy test for data transfers.
The additional conditions for transferring data to third countries also apply to transferring data to international organisations. Unlike third countries, international organisations are defined in the Regulation:
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Public international law is the set of conditions under which nations interact with other nations, and with individuals, organisations and other entities internationally. As such, an international organisation would be one that operates internationally, under the auspices of a trade agreement or treaty.
The definition of international organisation comprises an extremely wide set of organisations. The designation even applies to organisations that are based within the EU/EEA but have operations outside it. For instance, a German company that has operations in the US is also an international organisation, even though its central operations are based within the EEA. You should always take care to ensure that you understand the full business nature of the organisations with which you interact.
Key requirements for transferring personal data
Transferring personal data to a country outside the EU/EEA can only be done under two specific conditions:
- The destination has been the subject of an adequacy decision.
- The transfer is subject to appropriate safeguards to protect the personal data.
Simply meeting one of these conditions may not be adequate in itself, and it is possible that one of the appropriate authorities will ban all transfers of personal data to specific countries regardless of the security measures you put in place.
Any further transfers of the personal data – within the target country or beyond – are also subject to these same restrictions. If your organisation is based in the EEA and wants to transfer data to a third country or international organisation, you will need to ensure that all conditions are met, including that those third country or international organisations will abide by the requirements of the GDPR.
The exceptions under which the organisation can transfer personal data are:
- With the data subject’s consent, after having been informed of the risks for the data subject, in particular the risks due to the absence of an adequacy decision and safeguards.
- If the transfer is necessary to fulfil a contract between the data subject and the controller, or to implement pre-contract measures at the data subject’s request.
- If the transfer is necessary to fulfil a contract in the interests of the data subject.
- If the transfer is necessary for important reasons of public interest.
- If the transfer is necessary to establish, exercise or defend legal claims.
- If the transfer is necessary to protect the vital interests of the data subject or other persons, and the data subject is unable to give consent.
- If the transfer is made from a register intended to provide information to the public and is open to consultation, but only to the extent that the relevant laws permit consultation.
You will need to ensure that you clearly document your justification for the transfer, and that this documentation can be made available to the supervisory authority on request.
Adequacy decisions are decisions made by the Commission that a given country or organisation is an acceptable destination to which to transfer personal data. This is usually because the destination country meets a set of criteria in law. The adequacy criteria require that the third country has at least the following:
- The rule of law.
- Access to justice.
- Respect for human rights and fundamental freedoms.
- Relevant legislation, both general and sectoral, with regard to:
- Public security;
- National security;
- Public order; and
- Criminal law.1
There is already a short list of countries that meet the adequacy criteria, as shown in Table 3.
Table 3: Countries Meeting the Adequacy Criteria
A number of ‘European’ states are listed above because they are not actually members of the EEA. Switzerland is a member of the EFTA, for instance, while Jersey, Guernsey and the Isle of Man are part of the European Community (and thus have access to the single market without actually being members of the EU or EEA).
Note that the United States is not one of the countries on which an adequacy decision has been made. This is partly because the United States has no national (federal-level) data protection law. Most member states of the USA have their own data protection or data breach laws, and these all provide varying levels of protection for consumers. Special arrangements exist to make data transfers between the USA and EU possible, and these are described later in this chapter.
Transfers to third countries and international organisations are permissible if there are appropriate measures to protect the rights and freedoms of the data subject, and if the data subject will have enforceable rights and legal remedies. This means ensuring that the data will be secure, and that the personal data will only be transferred to an organisation within a legal system that will support the data subject’s rights. If you cannot meet both of these requirements, the transfer will not be deemed legal under the Regulation.
The Regulation provides a set of acceptable safeguards, some of which require specific approval from the supervisory authority before they can be considered to comply with the Regulation:
- Legally binding and enforceable instrument between public authorities or bodies.
- Binding corporate rules.
- Standard data protection clauses adopted by the Commission.
- Standard data protection clauses adopted by a supervisory authority and approved by the Commission.
- An approved code of conduct together with binding and enforceable commitments of the controller/processor in the third country to apply appropriate safeguards and protect data subjects’ rights.
- An approved certification mechanism with binding and enforceable commitments of the controller/processor in the third country to apply appropriate safeguards and protect data subjects’ rights.
- Contractual clauses between the controller/processor and the controller/processor/recipient in the third country or international organisation.
- Provisions inserted into administrative arrangements between public authorities or bodies, including enforceable and effective data subject rights.2
1.2 Binding corporate rules
Binding corporate rules were originally devised by the WP29 to allow large organisations or groups of organisations to securely transfer data internationally while reducing bureaucratic interference. They are defined in the GDPR as:
‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers of a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
The GDPR establishes conditions for individual Member States to establish their own binding corporate rules to streamline international transfers.
1.3 Standard contractual clauses
Standard contractual clauses (SCC) are approved contractual terms that can be included in contracts between EU controllers and non-EU controllers, and between EU controllers and non-EU processors. They set out clearly and in legally enforceable terms how the requirements of the GDPR apply to the relationship. They are an effective method of securing the transfer (assuming both parties then abide by the clauses), but they cannot be modified and must be used exactly as they are provided by the Commission.
1.4 The EU-US Privacy Shield
As we have said previously, it is illegal for any EU organisation to transfer personal data to any country in respect of which there has not been an ‘adequacy’ determination by the EU Commission. This is a major issue for the EU-US trading relationship and led to the development of a ‘Safe Harbor’ framework by means of which US organisations could register with the US Department of Commerce, make a declaration as to their information security practices in respect of personal data and be given safe harbour from prosecution.
In October 2015, the European Court of Justice declared that the Safe Harbor framework was “invalid” and not an adequate mechanism for complying with existing EU data protection legislation. Work therefore started on creating a replacement mechanism: the EU-US Privacy Shield Framework.
The EU-US Privacy Shield was adopted by the EU Commission in July 2016 and became available on 1 August 2016. The EU Commission has deemed the protections provided by the Shield to EU residents in respect of their personal data to be “adequate” in terms of the GDPR requirements covering international transfers of personal data. These requirements are as applicable to the personal data of employees as they are to the personal data of customers collected by an organisation. In real terms, there are no categories of personal data that are outside the scope of the GDPR and, therefore, US organisations with operations within the EU that simply wish to process or store HR data relating to their EU staff have to comply with the GDPR and will need to join the EU-US Privacy Shield Framework. The alternatives are to limit all such processing to EU entities or to withdraw from doing business in the EU.
©IT Governance Publishing Ltd
Understand your organisation’s GDPR obligations and prioritise the steps you need to take to comply
Now in its third edition, EU GDPR – An Implementation and Compliance Guide provides detailed commentary on the Regulation. This clear and comprehensive book sets out the obligations of data processors and controllers in simple terms and will help you understand how to achieve compliance with the GDPR.