The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

International data transfers

When personal data are transferred to a third country or to an international organisation, controllers or processors must check whether the general requirements of the GDPR for a data transfer are met. Furthermore, the additional requirements of Chapter V of the GDPR must be taken into account.

World map with many networked light points
Source: ©royyimzy - stock.adobe.com

Data can be transferred to a third country or to an international organisation under the following conditions:

Adequacy decision

Pursuant to Art. 45 of the GDPR, the European Commission can decide that a third country or an international organisation ensures an adequate level of data protection. If a data transfer is covered by an adequacy decision, no further protection measure is required. Adequacy decisions currently exist for Argentina, Israel, Japan (only in relation to the private sector), Canada (only in relation to the private sector), New Zealand, Switzerland, Uruguay, the United Kingdom (UK), the US (only in relation to US companies and organisations participating in the EU-US Data Privacy Framework (EU-US DPF)). The European Commission provides an up-to-date overview of the adopted adequacy decisions.

Legal situation after the adoption of the adequacy decision on the EU-US DPF

On 10 July 2023, the European Commission adopted the adequacy decision on the EU-US Data Privacy Framework, which entered into force immediately. In doing so, the European Commission has decided that the US now also ensures an adequate level of protection for personal data transferred from the EU to companies and organisations in the US. The prerequisite is that these companies and organisations are certified under the EU-US DPF and are listed on the DPF list. The EU-US DPF adequacy decision changes the legal assessment regarding international transfers of personal data to the US: Data transfers from the EU to the US may take place – within the scope of the adequacy decision – to certified companies and organisations without additional transfer tools pursuant to Art. 46 GDPR being necessary or without the need to supplement them by supplementary measures.

The German Data Protection Conference (DSK) has issued application notes on the adequacy decision on the EU-US DPF.

We have also compiled the most important information on the still relevant consequences of the Schrems II judgment. These relate to companies and organisations outside the scope of the EU-US DPF adequacy decision and to transfers to other third countries (without adequacy decision).

Appropriate safeguards

In the absence of an adequacy decision, the data transfer must be accompanied by further protective measures (so-called appropriate safeguards).

The GDPR provides for the following appropriate safeguards:

Standard data protection clauses

Standard data protection clauses adopted by the European Commission can be used as a basis for data transfers to third countries and to international organisations without further authorisation by the supervisory authorities if these clauses are included without essential modifications in the underlying contracts.

In June 2021, the European Commission adopted standard contractual clauses, Commission Implementing Decision (EU) 2021/914. As part of the procedure, the European Data Protection Board and the European Data Protection Supervisor had issued a joint opinion.

Since 27 September 2021, only the current standard contractual clauses can be concluded, from this date contracts can no longer be concluded on the basis of the “old standard contractual clauses” (see Decision 2001/497/EC or Decision 2010/87/EU). “Old contracts” could still be used until 27 December 2022. After that, a transition to the current standard contractual clauses had to have taken place, any further use of the old contracts is no longer possible.

In May 2022, the European Commission published “Questions and Answers (Q & As)” as guidance on the application of the standard contractual clauses. The document is dynamic and should be updated when new issues arise.

Supervisory authorities can also draw up their own standard data protection clauses. However, these must be coordinated with the other European supervisory authorities and subsequently approved by the European Commission.

Individually negotiated contractual clauses

Individually negotiated individual contractual clauses can also be an appropriate safeguard for a data transfer to a third country. However, they must be approved by the competent supervisory authority and coordinated with the other European Supervisory Authorities.

Binding Corporate Rules (BCR)

BCR are mainly used by international corporations with internal data flow (also) to third countries. In this context, the company lays down rules for the handling of personal data also in third countries. The BCR must be legally binding for all relevant members of the corporate group and must grant enforceable rights to the data subjects. BCR must be approved by the competent supervisory authority after consultation with the other European Supervisory Authorities. Further information on the approval procedure can be found on the European Commission’s website on BCR.

The EDPB has published recommendations on the BCR for controllers (BCR-C).

Approved Codes of Conduct or an approved Certification Mechanism

Industry-specific codes of conduct and certification mechanisms can be the basis for international data transfers under the GDPR if they have been approved by the competent supervisory authority or issued by the certification body or supervisory authority. However, these tools must be accompanied by legally binding and enforceable commitments of the controller or processor in the third country, in particular with regard to data subjects’ rights.

The European Data Protection Board has developed guidelines on the legal framework and procedural issues to ensure uniform implementation of these new transfer tools. For this purpose, guidelines on "Codes of Conduct as tools for transfers" and “Guidelines on certification as a tool for transfers” have been published.

Specific safeguards for public authorities

For authorities, the GDPR provides for further transfer tools that are better suited for their situation. This allows authorities to use a legally binding and enforceable document, such as an international agreement, which grants enforceable data subject  rights and effective legal remedies to data subjects affected by international data transfers. As a second special transfer tool, authorities can include provisions in an administrative arrangement that grant enforceable and effective data subject rights for data subjects. However, these provisions must be approved by the competent supervisory authority and coordinated with the other European Supervisory Authorities.

The European Data Protection Board has already developed guidelines on these safeguards in administrative arrangements that provide guidance on how these safeguards can be fleshed out. These, as well as an up-to-date overview of the guidelines adopted by the European Data Protection Board, can be found on the EDPB's website.

Derogations

A data transfer to a third country or to an international organisation may also be permissible by way of exception in special and conclusive cases explicitly mentioned in Art. 49 GDPR if neither an adequacy decision of the European Commission nor appropriate safeguards are available.

These exceptional cases include inter alia the following situations:

  • the individual has explicitly consented to the proposed transfer after having received all required informed on the risks associated with the transfer;
  • the transfer is necessary for the performance or conclusion of a contract between the individual and the controller, or if the contract is concluded in the individual’s interest;
  • the data transfer is necessary for important reasons of public interest;

The derogations in Art. 49 of the GDPR must be interpreted narrowly and, according to the guidelines of the European Data Protection Board, they must not be used for regular data transfers involving a large number of persons. It should be taken into account that no protection for the transferred data is guaranteed in the case of data transfers based on Art. 49 GDPR.

Commission on international data transfers

EDPB – Overview of the guidelines adopted