International data transfers
When transferring data to a third country or to an international organisation, controllers or processors must check whether the general prerequisites of the GDPR for data transfers are complied with. Moreover, the additional requirements set out in Chapter V of the GDPR must be taken into account.
Data can be transferred to a third country or to an international organisation under the following conditions:
According to Art. 45 of the GDPR, the European Commission can decide that a third country or an international organisation guarantees an adequate level of data protection. If a data transfer is covered by an adequacy decision, no further protection measure is required. Adequacy decisions are currently in place, among others, for Argentina, Israel, Japan (only in relation to the private sector), Canada (only in relation to the private sector), New Zealand, Switzerland, and Uruguay. The European Commission provides a current overview of the adequacy decisions adopted.
In the absence of an adequacy decision, the GDPR assumes that the third country or the international organisation does not ensure an adequate level of data protection. Then the data transfer must be accompanied by further protective measures.
The GDPR provides for the following appropriate guarantees:
Standard data protection clauses
Standard data protection clauses adopted by the European Commission can be used as a basis for data transfers to third countries and to international organisations without further authorisation by the supervisory authorities if these clauses are included without essential modifications in the underlying contracts.
In June 2021, the European Commission adopted standard contractual clauses, Commission Implementing Decision (EU) 2021/914. The European Data Protection Board and the European Data Protection Supervisor issued a joint opinion within the framework of the procedure.
Since 27 September 2021, only the current standard contractual clauses can be concluded, and from that date, it is no longer possible to conclude contracts on the basis of the ‘old standard contractual clauses’ (see Decision 2001/497/EC or Decision 2010/87/EU). Notice about ‘old contracts’ concluded before 27 September 2021: These contracts can still be used until 27 December 2022 [...] provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards .”, Article 4 of the Standard Contractual Clauses 2021/914. Then, a conversion to the current standard contractual clauses must have taken place. It is no longer possible to continue using the old contracts.
Supervisory authorities can also draw up their own standard data protection clauses. However, these clauses must be coordinated with the other European supervisory authorities and subsequently be approved by the European Commission.
Individually negotiated contractual clauses
Individual contractual clauses negotiated individually can also be an appropriate guarantee for data transfers to a third country. However, they must be approved by the competent supervisory authority and coordinated with the other European supervisory authorities.
Binding internal data protection rules (Binding Corporate Rules - BCR)
BCRs are mainly used by internationally active corporate groups with internal data flows (also) into third countries. In this context, the company lays down rules for the handling of personal data also in third countries. BCRs must be legally binding for all relevant members of the corporate group and grant enforceable rights to the data subjects. BCRs must be approved by the competent supervisory authority after consultation with the other European supervisory authorities. Further information on the authorisation procedure are available on the European Commission’s website rules on international data transfers.
Approved Codes of Conduct or an approved certification mechanism
Under the GDPR, both industry-specific codes of conduct and also certification mechanisms may be the basis for an international data transfer if they have been approved by the competent supervisory authority or issued by the certification body or by the supervisory authority. However, these instruments must be accompanied by legally binding and enforceable obligations of the controller or processor in the third country, in particular with regard to the data subjects’ rights.
The European Data Protection Board is currently preparing guidelines on the legal framework and procedural issues to ensure a consistent implementation of these new transfer instruments.
Specific guarantees for public authorities
For authorities, the GDPR provides for further transfer instruments better corresponding to their situation. In this way, authorities can use a legally binding and enforceable document such as an international agreement providing data protection rights and effective remedies for persons concerned by international data transfers. As a second specific transfer instrument, public authorities may include provisions in an administrative arrangement granting enforceable and effective data protection rights to data subjects. However, these provisions must be approved by the competent supervisory authority and coordinated with the other European supervisory authorities.
The European Data Protection Board has already prepared guidelines on these guarantees in administrative arrangements which provide guidance on how to design these guarantees. These guidelines and a current overview of the guidelines adopted by the European Data Protection Board can be found on its website.
Authorities performing law enforcement functions can carry out data transfers within the scope of Sections 79 to 81 of the BDSG (German Federal Data Protection Act).
A data transfer to a third country or to an international organisation may be exceptionally permissible in the presence of special cases explicitly mentioned in Art. 49 of the GDPR, if there is neither an adequacy decision of the European Commission nor appropriate safeguards.
These exceptional cases include the following situations:
- the individual has explicitly consented to the proposed transfer after having received all required informed on the risks associated with the transfer;
- the transfer is necessary for the performance or conclusion of a contract between the individual and the controller, or if the contract is concluded in the individual’s interest;
- the data transfer is necessary for important reasons of public interest;
- the data transfer is necessary for the protection of the mandatory legitimate interests of the organisation.
The derogations in Article 49 of the GDPR must be interpreted narrowly and, according to the guidelines of the European Data Protection Board, they must not be used for regular data transfers involving a large number of persons.