Data Protection Academy » Data Protection Wiki » Data transmission to third countries

Data transmission to third countries
Note

THE EUROPEAN COURT OF JUSTICE (EUGH) DECLARED THE EU-US PRIVACY SHIELD INVALID ON 16.07.2020 (CASE C-311/18).

Data transmission to countries outside the European Union (third countries)

Background

According to Article 45 (3) of the GDPR (General Data Protection Regulation), the European Commission has the possibility to adopt so-called adequacy decisions for the transfer of personal data to countries outside the European Union, so-called third countries. The adequacy decision for a third country states that this country provides adequate protection of personal data according to the GDPR ...is showing.

These adequacy decisions may relate to entire countries or only to parts or sectors of these countries. Monaco is mentioned as an example. Monaco is generally classified as a third country. However, for the financial transactions sector, an adequacy decision has been taken, so that the transfer of personal data allows this context without further action.

If personal data is to be transferred to third countries without an adequate level of data protection outside the EU, the responsible foreman (for example, the managing director of a company) must ensure that the data transfer to third countries nevertheless complies with the laws of the GDPR. There are several possibilities for this, which are briefly explained below.

Variants of data transmission between countries

The following data transmission variants personal data to other countries are distinguished and also taken into account in Robin Data:

  1. Data transmission within the countries of the EU
  2. Data transfer from EU countries to countries with an adequate level of data protection
  3. Data transmission to the United States of America based on the Privacy-Shield Framework
  4. Data transfer from EU countries to countries without an adequate level of data protection (third countries)

The cases are briefly explained below from the perspective of a European processor and solutions to the lawful transfer of personal data are presented.

1. Data transmission between countries within the EU

If personal data is transferred to countries within the EU, no further action is necessary from a data protection perspective. All countries within the EU are subject to the GDPR.

Bottom line: The protection of personal data is sufficiently regulated and can be transferred without restriction.

2. Data transmission to countries with an adequate level of data protection

For countries with an adequate level of data protection, no further action is necessary when personal data are transferred to these countries. These countries are therefore privileged: they are treated in the same way as countries within the EU.

Currently, the following countries have an adequate level of data protection (Official EU list):

The Approval of Japan as a third country with an adequate level of data protection is currently in preparation.

Bottom line: Personal data may be transferred to such countries without further restriction.

You want to minimise your risk and implement data protection automatically and with guidance? Inform yourself about the features of the Robin Data Software or via the order of our qualified Data Protection Officer.

Learn more

Data transmissions the United States of America (USA)

In principle, the USA is not recognised as a country with an adequate level of data protection. The reason for this is the so-called USA PATRIOT ACT of the USA, which grants the government more extensive rights to access company data.

In the past, the transfer of personal data was regulated by the so-called Safe Harbor Agreement between the EU and the USA in such a way that personal data could be transferred to the USA in accordance with the law. The Safe Harbor Agreement was declared invalid by the European Court of Justice in October 2015.

For this reason, a successor agreement was adopted, the EU-US Privacy Shield. The Privacy Shield was adopted by the European Commission in July 2016 and was declared invalid by the European Court of Justice on 16.07.2020. This means that, with immediate effect, it is no longer possible for US companies to process personal data of EU citizens on this basis. Since 04 June 2021 the Eu-Commission has new EU standard contractual clauses accepted.

Data transmission to third countries

The transfer of personal data to third countries is generally prohibited. However, a transfer of such data is possible if special measures are taken.

These measures are:

  1. Implementation of company-wide guidelines that govern data protection within a company and its subsidiaries, so-called Binding Corporate Rules
  2. The use by the EU of predefined contracts, so-called EU standard contractual clausesto regulate the transfer of personal data with third party companies.

Depending on the case at hand, measures will in any case be necessary to ensure that data are transferred lawfully.

Prof. Dr. Andre Döring
Latest posts by Prof. Dr. Andre Döring (see all)

This might interest you too:

EU standard contractual clauses DSGVO international data transfer

The new EU standard contract clauses

On 07 June 2021, the European Commission published the new version of the EU Standard Contractual Clauses for the international transfer of personal data.
Data Protection Breaches

Passwordless authentication via FIDO2

What does passwordless authentication via FIDO2 mean? Why the password is obsolete and you should rely on the security standard!
Data protection of children

Data protection of children on the Internet

Information by parents and concrete rules on media use are useful. How can the use of digital media be taught?