Data Protection Academy » Data Protection Wiki » Data transmission to third countries

Binary numbers over a world map symbolising data transmission to third countries
Note

THE EUROPEAN COURT OF JUSTICE (EUGH) DECLARED THE EU-US PRIVACY SHIELD INVALID ON 16.07.2020 (CASE C-311/18).

Data transmission to countries outside the European Union (third countries)

Background

According to Article 45 (3) of the GDPR (General Data Protection Regulation), the European Commission has the possibility to adopt so-called adequacy decisions for the transfer of personal data to countries outside the European Union, so-called third countries. The adequacy decision for a third country states that this country provides adequate protection of personal data according to the GDPR ...is showing.

These adequacy decisions may relate to entire countries or only to parts or sectors of these countries. Monaco is mentioned as an example. Monaco is generally classified as a third country. However, for the financial transactions sector, an adequacy decision has been taken, so that the transfer of personal data allows this context without further action.

If personal data is to be transferred to third countries without an adequate level of data protection outside the EU, the responsible foreman (for example, the managing director of a company) must ensure that the data transfer to third countries nevertheless complies with the laws of the GDPR. There are several possibilities for this, which are briefly explained below.

Variants of data transmission between countries

The following data transmission variants personal data to other countries are distinguished and also taken into account in Robin Data:

  1. Data transmission within the countries of the EU
  2. Data transfer from EU countries to countries with an adequate level of data protection
  3. Data transmission to the United States of America based on the Privacy-Shield Framework
  4. Data transfer from EU countries to countries without an adequate level of data protection (third countries)

The cases are briefly explained below from the perspective of a European processor and solutions to the lawful transfer of personal data are presented.

1. Data transmission between countries within the EU

If personal data is transferred to countries within the EU, no further action is necessary from a data protection perspective. All countries within the EU are subject to the GDPR.

Bottom line: The protection of personal data is sufficiently regulated and can be transferred without restriction.

2. Data transmission to countries with an adequate level of data protection

For countries with an adequate level of data protection, no further action is necessary when personal data are transferred to these countries. These countries are therefore privileged: they are treated in the same way as countries within the EU.

Currently, the following countries have an adequate level of data protection (Official EU list of countries with adequate levels of data protection):

The Approval of Japan as a third country with an adequate level of data protection is currently in preparation.

Bottom line: Personal data may be transferred to such countries without further restriction.

Whitepaper: Data protection at company sites and persons in the data protection organisation

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

Part of the white paper on data protection at company sites & persons in the data protection organisation:

  • Get information on Legally permissible data transfers
  • Learn more about the Data protection relevant consideration of different company locations
  • Learn DSGVO-compliant Possibilities of Data transfer to third countries Know
  • Get background information on the Market place principle, third country and group privilege
  • Learn which people Members of the data protection organisation are

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Data transfers to the United States of America (USA)

In principle, the USA is not recognised as a country with an adequate level of data protection. The reason for this is the so-called USA PATRIOT ACT of the USA, which grants the government more extensive rights to access company data.

In the past, the transfer of personal data was regulated by the so-called Safe Harbor Agreement between the EU and the USA in such a way that personal data could be transferred to the USA in accordance with the law. The Safe Harbor Agreement was declared invalid by the European Court of Justice in October 2015.

For this reason, a successor agreement was adopted, the EU-US Privacy Shield. The Privacy Shield was adopted by the European Commission in July 2016 and was declared invalid by the European Court of Justice on 16 July 2020. This means that, with immediate effect, it is no longer possible for US companies to process personal data of EU citizens on this basis. Since 04 June 2021, the European Commission has new EU standard contractual clauses accepted.

Data transmission to third countries

The transfer of personal data to third countries is generally prohibited. However, a transfer of such data is possible if special measures are taken.

These measures are:

  1. Implementation of company-wide guidelines that govern data protection within a company and its subsidiaries, so-called Binding Corporate Rules
  2. The use by the EU of predefined contracts, so-called EU standard contractual clausesto regulate the transfer of personal data with third party companies.

Depending on the case at hand, measures will in any case be necessary to ensure that data are transferred lawfully.

Prof. Dr. Andre Döring

This might interest you too:

What to do in the event of an IT security incident?

The most important facts about IT security incidents. Learn practical tips on recognising and dealing with IT emergencies in the article.

What is the TTDSG?

What is the TTDSG? New data protection law and adaptation of the regulations on cookies and PIMS.

The new EU standard contract clauses

On 07 June 2021, the European Commission published the new version of the EU Standard Contractual Clauses for the international transfer of personal data.