The GDPR regulates the transfer of personal data to third countries. In order to be authorised, the transfer must be based on either an adequacy decision, an adequate level of data protection, or one of the exceptions provided for in the GDPR.
Recital 101 provides guidance on the rules for transferring personal data to a third country
-
A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
Article 45 « Transfers on the basis of an adequacy decision » is invoked by the European Commission to determine whether a third country has an adequate level of protection or not.
The adoption of an adequacy decision based on Article 45 of the GDPR involves
-
A proposal from the European Commission
-
An opinion of the European Data Protection Committee
-
An approval by the representatives of the EU countries
-
Adoption of the decision by the European Commission
At present only a limited list of third countries are considered to have adequate protection and are allowed to transfer personal data to their country.
The list of countries currently authorised by the European Commission is as follows.
-
Andorra,
-
Argentina,
-
Canada (commercial organisations),
-
Faroe Islands,
-
Guernsey,
-
Israel,
-
Isle of Man,
-
Japan,
-
Jersey,
-
New Zealand,
-
Republic of Korea,
-
Switzerland,
-
United Kingdom under the GDPR and LED.
-
Uruguay as offering adequate protection.
-
With the exception of the UK, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680). »
In the absence of an adequacy decision under Article 45 of the GDPR, Article 46 « Transfers subject to appropriate safeguards » provides a list of « appropriate safeguards » on which a transfer to a third country may also be based
These appropriate safeguards can be of various kinds:
-
Binding Corporate Rules (Article 47 of the RGPD): These are internal binding corporate rules relating to transfers of personal data to countries outside the European Union. They therefore constitute an internal « Code of Conduct » within a company group, defining the data transfer policy strategy for each of the entities that make up the group, including employees
-
Standard Contractual Clauses (Article 93(2)) adopted by the European Commission, which have very recently been recast as described below
-
Codes of conduct approved under Article 40
-
International agreements or administrative commitments
In the absence of an adequacy decision and appropriate safeguards given by Articles 45 and 46 of the GDPR, there is only one solution, and that is the exceptions provided for by Article 49 of the GDPR « Derogation for special situations ».
These exceptions are as follows
-
The data subject has given his/her explicit consent to the transfer
-
The transfer is necessary for the performance of a contract between the data subject Data subject and the RT / implementation of pre-contractual measures (or concluded In his or her interest if he or she is not party to the contract)
-
The transfer is necessary for important public interest reasons
-
The transfer is necessary for the establishment, exercise or defence of legal claims rights in a court of law
-
The transfer is necessary to protect the vital interests of the data subject
and other persons
-
The transfer is made from a register which is intended to provide information to the public and is open to the public. information to the public and is open to consultation by the general public
Without an adequacy decision, appropriate safeguards, or derogations, the GDPR does not allow the transfer of personal data to a third country.
This article is only a short and incomplete one, but it aims to give you an idea of what the RGPD requires in certain situations. As non-compliance with the RGPD can lead to very heavy fines, I strongly advise you to ask your DPO or your RGPD consultant for advice and much more complete information.