How to transfer data to a ‘third country’ under the GDPR

The European Commission released a notice to stakeholders last week called “Withdrawal of the United Kingdom from the Union and EU rules in the field of data protection”.

The notice states that as because the UK has triggered Article 50 and will no longer be part of the EU on 30 March 2019, it will become a ‘third country’. Unless a withdrawal agreement can be established before the withdrawal date, the EU General Data Protection Regulation (GDPR) rules for transferring personal data to third countries will apply to the UK.

In light of considerable uncertainty about the withdrawal agreement’s content, the notice reminds all stakeholders processing personal data of the legal repercussions associated with a data transfer to the UK when it becomes a ‘third country’.

If no ‘adequacy decision’ is made before the withdrawal date, companies that transfer personal data to the UK will need to have appropriate safeguards in place.

As many Irish organisations do business with UK companies, we decided to look at the appropriate safeguards.

Standard data protection clauses: The Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA, and one set for transfers to data processors established outside the EU/EEA. These clauses are available to download from the Commission’s website.

Using standard data protection clauses adopted by the European Data Protection Supervisor or Irish Data Protection Commissioner should not prevent controllers or processors from including the clauses in a wider contract, or adding other clauses as long as they don’t contradict.

Binding corporate rules (BCRs): BCRs were developed by the EU Article 29 Working Party to allow multinational corporations, international organisations and groups of companies to make intra-organisational cross-border transfers of personal data in compliance with EU data protection law.

BCRs are designed to ensure all transfers made by an organisation or within a group maintain an adequate level of protection. They are an alternative to companies having to sign standard contractual clauses each time data needs to be transferred to a member of the group.

To get approval for BCRs, the company concerned must choose a lead data protection supervisory authority, which will coordinate securing approval from the other relevant data protection authorities involved. The lead authority – which in Ireland is the Irish Data Protection Commissioner – must also approve the BCRs.

Codes of conduct: An approved code of conduct pursuant to Article 40 of the GDPR together with binding and enforceable commitments from the controller or processor in the third country to apply the appropriate safeguards, including safeguards in relation to data subjects’ rights.

Certification mechanism: An approved certification mechanism pursuant to Article 42 of the GDPR together with binding and enforceable commitments from the controller or processor in the third country to apply the appropriate safeguards, including safeguards in relation to data subjects’ rights.

Learn more about correctly transferring data to third countries, and ensure your organisation has the right safeguards in place with our five-day EU GDPR Foundation & Practitioner courses in Cork, Dublin and Galway. Book now to avoid disappointment >>

Leave a Reply

Your email address will not be published. Required fields are marked *