International data transfers
When transferring data to a third country or to an international organisation, controllers or processors must check whether the general prerequisites of the GDPR for data transfers are complied with. Moreover, the additional requirements set out in Chapter V of the GDPR must be taken into account.
Data can be transferred to a third country or to an international organisation under the following conditions:
According to Art. 45 of the GDPR, the European Commission can decide that a third country or an international organisation guarantees an adequate level of data protection. If a data transfer is covered by an adequacy decision, no further protection measure is required. Adequacy decisions are currently in place, among others, for Argentina, Israel, Japan (only in relation to the private sector), Canada (only in relation to the private sector), New Zealand, Switzerland, and Uruguay. The European Commission provides a current overview of the adequacy decisions adopted.
In the absence of an adequacy decision, the GDPR assumes that the third country or the international organisation does not ensure an adequate level of data protection. Then the data transfer must be accompanied by further protective measures.
The GDPR provides for the following appropriate guarantees:
Standard data protection clauses
Standard data protection clauses adopted by the European Commission can be used as a basis for data transfers to third countries and to international organisations without further authorisation by the supervisory authorities if these clauses are included without essential modifications in the underlying contracts. The European Commission has not yet adopted standard data protection clauses since the entry into force of the GDPR. However, the standard contractual clauses adopted under the previous European Data Protection Directive shall apply explicitly in accordance with Article 46(5) of the GDPR. Contract models are available on the website of the European Commission for international data transfers.
However, the European Commission is currently developing new standard data protection clauses. The date of completion is not yet known, but the current state of the adoption procedure and the draft standard contractual clauses can be traced on the website of the European Commission. The pertinent opinion of the European Data Protection Board and of the European Data Protection Supervisor has already been issued.
Supervisory authorities can also draw up their own standard data protection clauses. However, these clauses must be coordinated with the other European supervisory authorities and subsequently be approved by the European Commission.
Individually negotiated contractual clauses
Individual contractual clauses negotiated individually can also be an appropriate guarantee for data transfers to a third country. However, they must be approved by the competent supervisory authority and coordinated with the other European supervisory authorities.
Binding internal data protection rules (Binding Corporate Rules - BCR)
BCRs are mainly used by internationally active corporate groups with internal data flows (also) into third countries. In this context, the company lays down rules for the handling of personal data also in third countries. BCRs must be legally binding for all relevant members of the corporate group and grant enforceable rights to the data subjects. BCRs must be approved by the competent supervisory authority after consultation with the other European supervisory authorities. Further information on the authorisation procedure are available on the European Commission’s website rules on international data transfers.
Approved Codes of Conduct or an approved certification mechanism
Under the GDPR, both industry-specific codes of conduct and also certification mechanisms may be the basis for an international data transfer if they have been approved by the competent supervisory authority or issued by the certification body or by the supervisory authority. However, these instruments must be accompanied by legally binding and enforceable obligations of the controller or processor in the third country, in particular with regard to the data subjects’ rights.
The European Data Protection Board is currently preparing guidelines on the legal framework and procedural issues to ensure a consistent implementation of these new transfer instruments.
Specific guarantees for public authorities
For authorities, the GDPR provides for further transfer instruments better corresponding to their situation. In this way, authorities can use a legally binding and enforceable document such as an international agreement providing data protection rights and effective remedies for persons concerned by international data transfers. As a second specific transfer instrument, public authorities may include provisions in an administrative arrangement granting enforceable and effective data protection rights to data subjects. However, these provisions must be approved by the competent supervisory authority and coordinated with the other European supervisory authorities.
The European Data Protection Board has already prepared guidelines on these guarantees in administrative arrangements which provide guidance on how to design these guarantees. These guidelines and a current overview of the guidelines adopted by the European Data Protection Board can be found on its website.
Authorities performing law enforcement functions can carry out data transfers within the scope of Sections 79 to 81 of the BDSG (German Federal Data Protection Act).