In this article we will see how to handle the transfer of personal data to third countries or international organizations as required by the European regulation for the protection of personal data.
Personal data transfer
Third countries and international organizations
What to keep in mind in case of transfer
Although there is no specific definition, the concept of transfer of personal data is often referred to in the European regulation in relation to the most important obligations for the data controller such as:
- the processing register by which specify if there is a transfer
- the impact assessment by which specify the safeguards for the transfer
While the circulation of personal data within the European Economic Area is always free, there is a general ban about the transfer of personal data outside the EU.
Today, with cloud hosting services, email marketing or automation services, personal data are transferred outside the EU without the organizations having correctly assessed and recorded the transfers modes according to the requirements of the GDPR.
Not only that, we can also see extra-EU transfers even in the case of companies and international groups located across multiple locations.
In order to comply to the regulation, each organization must adopt appropriate procedures for analyzing when personal data are transferred outside the EU and must also demonstrate that it complies with all the safeguards required by the regulation.
The safeguards for transferring data outside the European Union
The European regulation allows the transfer of personal data outside the European economic area only in the presence of adequate safeguards.
In particular, there are three types of safeguards. Let's see the differences:
Transfer based on the adequacy decision
One of the main safeguard is the presence, for the country to which you intend to transfer data, of an adequacy decision: this means that the third country in question is considered "adequate" by the European Commission on the basis of its level of data protection, which is in line with the principles of the regulation. This type of decision represents a binding instrument for every country of the European Union.
Transfers to a third country considered "adequate" may take place without any further authorization as already done by the regulation. The adequacy decisions are however subject to periodic review to determine, in the long run, whether the country is still able to guarantee an adequate level of data protection.
Can be modified, suspended or revoked, if it appears that the third country no longer meets the necessary criteria.
When a transfer may occur, it is advisable for data controllers to consult the list of non-EU countries considered adequate directly on the website of the national supervisory authority.
Transfer based on adequate safeguards
In the absence of an adequacy decision, personal data may be transferred to a third country or an international organization only if there are specific safeguards, provided that the data subjects have access rights and effective remedies.
These "adequate" safeguards may be of various kinds and are specified in Article 46:
- A legally binding and enforceable instrument between authorities or public bodies
- Use of binding corporate standards (BCR) in accordance with Article 47
- Standard data protection contractual clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2).
- Standard data protection contractual clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to Article 93 (2)
- A code of conduct approved pursuant to Article 40, together with binding contractual clauses giving appropriate guarantees with respect to the rights of the parties concerned.
- A certification mechanism approved pursuant to Article 42, together with binding contractual clauses giving appropriate guarantees with respect to the rights of the data subject.
Transfer based on derogations for specific situations from Article 49
If there is not an adequacy decision or an adequate safeguard, it is possible to consider the exceptions to the transfer of data in Article 49 which is:
- The explicit consent of the data subject after receiving the information about the risks of the transfer without safeguards.
Or in cases where the transfer is necessary for:
- The execution of a contract between the controller and the data subject or pre - contractual measures at the request of the data subject.
- The conclusion of a contract between the controller and another legal entity in favor of the data subject.
- Important reasons of public interest.
- To ascertain, exercise or defend a right in court.
- Protect the vital interests of the data subject or of other persons, if the data subject is physically or legally incapable of giving his consent.
- The transfer is made from a register which, under Union or Member State law, aims to provide information to the public and can be consulted by both the general public and anyone able to demonstrate a legitimate interest, only on condition that the requirements for consultation provided for by Union or Member State law are met.
Management of transfers in UTOPIA
To manage transfers simply click the Registers menu, open a processing activity and specify all the details you need:
- Categories: specify all categories of recipients of the personal data being transferred, both those who receive the data under a legal obligation and those who receive them on the basis of a contract such as controllers.
- Transfers: specify the third countries or international organizations to which the personal data will be transferred.
- Safeguards: specify, for each country or organization, the safeguards by choosing among an adequacy decision, an adequate safeguards or a derogation.