GDPR Transfer to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations.

Which countries are third countries?

Third countries are territories outside: EU, EEA, Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom and Uruguay. 

Conditions for transfer to third countries or organizations

If companies are transferring personal data to third countries, the GDPR provides additional conditions.

  1. Article 46 section 2 allows companies to send personal data to third countries, if companies have applied appropriate safeguards, for example binding corporate rules, standard data protection clauses, code of conduct and approved certifications. The most suitable safeguard for companies is model contracts adopted by the European Commission. These contractual clauses regulate the data transfer between data controllers and processors. For example, when a company wants to use cloud services, which are stationed outside of the EU, then they can sign the data processing agreement (DPA) that includes standard contractual clauses.
  2. Article 49 section 1 states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions, for example:
       a) explicit consent from the data subject, company must inform the data subject of all the risks that can occur when the data is transferred there;
       b) transfer of data is necessary for the performance of a contract;
       c) establish, exercise or defense of legal claims.

The transfer of personal data under article 49 is allowed only when it is occasional and necessary. This means that the company must evaluate, how often the personal data is sent and is it necessary to send it to the third country or the same result can be achieved inside the EU. The performance of a contract could be used as a legal ground for example for when travel agents transfer personal data of their individual clients to hotels or other commercial partners that organize their clients’ stay abroad.

Companies have an obligation to document the data transfer to third countries or international organizations under Article 30 (records of processing activities).

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...