GDPR Transfer to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations.

Which countries are third countries?

Third countries are territories outside: EU, EEA, Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework). There are adequacy talks going on with Japan and South Korea.

Conditions for transfer to third countries or organizations

If companies are transferring personal data to third countries, the GDPR provides additional conditions.

  1. Article 46 section 2 allows companies to send personal data to third countries, if companies have applied appropriate safeguards, for example binding corporate rules, standard data protection clauses, code of conduct and approved certifications. The most suitable safeguard for companies is model contracts adopted by the European Commission. These contractual clauses regulate the data transfer between data controllers and processors. For example, when a company wants to use cloud services, which are stationed outside of the EU, then they can sign the data processing agreement (DPA) that includes standard contractual clauses.
  2. Article 49 section 1 states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions, for example:
       a) explicit consent from the data subject, company must inform the data subject of all the risks that can occur when the data is transferred there;
       b) transfer of data is necessary for the performance of a contract;
       c) establish, exercise or defense of legal claims.

The transfer of personal data under article 49 is allowed only when it is occasional and necessary. This means that the company must evaluate, how often the personal data is sent and is it necessary to send it to the third country or the same result can be achieved inside the EU. The performance of a contract could be used as a legal ground for example for when travel agents transfer personal data of their individual clients to hotels or other commercial partners that organize their clients’ stay abroad.

Companies have an obligation to document the data transfer to third countries or international organizations under Article 30 (records of processing activities).

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Compliance Software Tools in 2022 (Review + Pricing)

10 Great GDPR Compliance Software Tools in 2022 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...