The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations.
Which countries are third countries?
Third countries are territories outside: EU, EEA, Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework). There are adequacy talks going on with Japan and South Korea.
Conditions for transfer to third countries or organizations
If companies are transferring personal data to third countries, the GDPR provides additional conditions.
- Article 46 section 2 allows companies to send personal data to third countries, if companies have applied appropriate safeguards, for example binding corporate rules, standard data protection clauses, code of conduct and approved certifications. The most suitable safeguard for companies is model contracts adopted by the European Commission. These contractual clauses regulate the data transfer between data controllers and processors. For example, when a company wants to use cloud services, which are stationed outside of the EU, then they can sign the data processing agreement (DPA) that includes standard contractual clauses.
- Article 49 section 1 states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions, for example:
a) explicit consent from the data subject, company must inform the data subject of all the risks that can occur when the data is transferred there;
b) transfer of data is necessary for the performance of a contract;
c) establish, exercise or defense of legal claims.
The transfer of personal data under article 49 is allowed only when it is occasional and necessary. This means that the company must evaluate, how often the personal data is sent and is it necessary to send it to the third country or the same result can be achieved inside the EU. The performance of a contract could be used as a legal ground for example for when travel agents transfer personal data of their individual clients to hotels or other commercial partners that organize their clients’ stay abroad.
Companies have an obligation to document the data transfer to third countries or international organizations under Article 30 (records of processing activities).