GDPR Transfer to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations.

Which countries are third countries?

Third countries are territories outside: EU, EEA, Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework). There are adequacy talks going on with Japan and South Korea.

Conditions for transfer to third countries or organizations

If companies are transferring personal data to third countries, the GDPR provides additional conditions.

  1. Article 46 section 2 allows companies to send personal data to third countries, if companies have applied appropriate safeguards, for example binding corporate rules, standard data protection clauses, code of conduct and approved certifications. The most suitable safeguard for companies is model contracts adopted by the European Commission. These contractual clauses regulate the data transfer between data controllers and processors. For example, when a company wants to use cloud services, which are stationed outside of the EU, then they can sign the data processing agreement (DPA) that includes standard contractual clauses.
  2. Article 49 section 1 states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions, for example:
       a) explicit consent from the data subject, company must inform the data subject of all the risks that can occur when the data is transferred there;
       b) transfer of data is necessary for the performance of a contract;
       c) establish, exercise or defense of legal claims.

The transfer of personal data under article 49 is allowed only when it is occasional and necessary. This means that the company must evaluate, how often the personal data is sent and is it necessary to send it to the third country or the same result can be achieved inside the EU. The performance of a contract could be used as a legal ground for example for when travel agents transfer personal data of their individual clients to hotels or other commercial partners that organize their clients’ stay abroad.

Companies have an obligation to document the data transfer to third countries or international organizations under Article 30 (records of processing activities).

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...