This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.
The GDPR does not substantially change the existing international data transfer mechanisms but does consolidate them. This issue sets out the various transfer mechanisms and highlights a number of new features.
1. General Data Transfer Principles
Personal data may be freely transferred to countries within the European Economic Area, i.e. the 28 member states of the European Union plus Norway, Liechtenstein and Iceland.
Transfers to other countries (so-called third countries) are only allowed if an adequate transfer mechanism is in place and provided enforceable rights and effective legal remedies are available for data subjects. This means that data subjects must be able to rely on an enforceable third-party beneficiary clause or arrangement.
The obligation to ensure that an adequate transfer mechanism is in place applies to both controllers and processors.
2. Data Transfer Mechanisms
2.1 Adequacy decision
Transfers of personal data may take place to countries for which the European Commission has issued an adequacy finding. Such transfers shall not require any further authorization.
Pursuant to Directive 95/46, the European Commission has issued adequacy findings for the following countries:
Full adequacy finding
Isle of Man
Eastern Republic of Uruguay
Partial adequacy finding
Applicable to companies falling within the scope of the Canadian Personal Information Protection and Electronic Documentation Act ("PIPEDA")
USA - Privacy Shield
Applicable to companies certified under the Privacy Shield scheme
These adequacy findings will be maintained but are subject to periodic review.
2.2 Binding corporate rules
Binding corporate rules ("BCRs") already existed under Directive 95/46 and are now expressly recognized by the GDPR. BCRs are adequate for intra-group transfers. However, putting such rules in place is a rather burdensome and costly process since BCRs must be approved by the competent supervisory authority in accordance with the consistency mechanism.
2.3 Data protection clauses
The GDPR recognizes standard data protection clauses, adopted by the European Commission or the supervisory authority, as an adequate transfer mechanism.
Currently, standard data protection clauses exist for controller-to-controller and controller-to-processor transfers. These clauses were adopted by the European Commission and are available here. Please note however that these clauses are currently being challenged. The Irish High Court has referred a case for preliminary ruling to the Court of Justice of the European Union questioning the validity of the standard contractual clauses. In the meantime these clauses remain valid.
The GDPR expressly provides for the possibility for the supervisory authority to adopt standard data protection clauses, which must then be approved by the European Commission. The Benelux supervisory authorities have not yet done so.
In addition, the GDPR recognizes ad hoc data protection clauses. The use of such clauses requires the authorization of the supervisory authority.
2.4 Codes of conduct and certification mechanisms (NEW!)
The GDPR provides for two new transfer mechanisms:
- a code of conduct, which must be approved by the supervisory authority; and
- a certification mechanism, which must be approved by the supervisory authority or the relevant certification body.
A code of conduct or certification mechanism must be accompanied by binding and enforceable commitments on the part of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subject rights.
2.5 Mechanisms for use by public authorities
As far as public authorities or bodies are concerned, appropriate safeguards may be offered by:
- a legally binding and enforceable instrument between public authorities or bodies;
- subject to approval by the supervisory authority, provisions inserted in administrative arrangements between public authorities or bodies which provide for enforceable and effective data subject rights.
In the absence of an adequacy decision or other appropriate transfer mechanism, data transfers to third countries are only allowed if one of the following conditions is met:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of the transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Please note that certain supervisory authorities are reluctant to accept these grounds as a valid basis for recurring, large-scale data transfers and prefer other transfer mechanisms such as standard data protection clauses.
2.7 Last resort
When a transfer cannot be based on a transfer mechanism and none of the abovementioned derogations are applicable, a data transfer may only take place if:
- the transfer is not recurring;
- the transfer concerns a limited number of data subjects;
- the transfer is necessary for the purpose of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject(s); and
- the controller has assessed all circumstances surrounding the data transfer and has, on the basis of that assessment, provided suitable safeguards to protect personal data.
In addition, the controller must inform the supervisory authority and the data subjects of the data transfer and their legitimate interests.
The abovementioned assessment must be included in the documentation mentioned in Article 30 GDPR.
3. Data transfers ordered by a third-country court or authority
Under certain circumstances, companies established in the EU may be ordered by a court or other authority in a third country to transfer or disclose personal data. The GDPR provides that such an order may only be recognized and considered enforceable if it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or relevant member state.
4. Restrictions on transfers by member states
In the absence of an adequacy decision, EU or member state law may, for important reasons in the public interest, expressly set limits on the transfer of specific categories of personal data to third countries. Any such restrictions must be notified to the European Commission.
In this way, the member states have leeway to adopt data localisation laws.