Data transmission to countries outside the European Union (third countries)
According to Article 45 (3) of the GDPR (General Data Protection Regulation), the European Commission has the possibility to adopt so-called adequacy decisions for the transfer of personal data to countries outside the European Union, so-called third countries. The adequacy decision for a third country states that this country provides adequate protection of personal data according to the GDPR ...is showing.
These adequacy decisions may relate to entire countries or only to parts or sectors of these countries. Monaco is mentioned as an example. Monaco is generally classified as a third country. However, for the financial transactions sector, an adequacy decision has been taken, so that the transfer of personal data allows this context without further action.
If personal data is to be transferred to third countries without an adequate level of data protection outside the EU, the responsible foreman (for example, the managing director of a company) must ensure that the data transfer to third countries nevertheless complies with the laws of the GDPR. There are several possibilities for this, which are briefly explained below.
Variants of data transmission between countries
The following data transmission variants personal data to other countries are distinguished and also taken into account in Robin Data:
- Data transmission within the countries of the EU
- Data transfer from EU countries to countries with an adequate level of data protection
- Data transmission to the United States of America based on the Privacy-Shield Framework
- Data transfer from EU countries to countries without an adequate level of data protection (third countries)
The cases are briefly explained below from the perspective of a European processor and solutions to the lawful transfer of personal data are presented.
1. Data transmission between countries within the EU
If personal data is transferred to countries within the EU, no further action is necessary from a data protection perspective. All countries within the EU are subject to the GDPR.
Bottom line: The protection of personal data is sufficiently regulated and can be transferred without restriction.
2. Data transmission to countries with an adequate level of data protection
For countries with an adequate level of data protection, no further action is necessary when personal data are transferred to these countries. These countries are therefore privileged: they are treated in the same way as countries within the EU.
Currently, the following countries have an adequate level of data protection (Official EU list):
The Approval of Japan as a third country with an adequate level of data protection is currently in preparation.
Bottom line: Personal data may be transferred to such countries without further restriction.
Data transmissions the United States of America (USA)
In principle, the USA is not recognised as a country with an adequate level of data protection. The reason for this is the so-called USA PATRIOT ACT of the USA, which grants the government more extensive rights to access company data.
In the past, the transfer of personal data was regulated by the so-called Safe Harbor Agreement between the EU and the USA in such a way that personal data could be transferred to the USA in accordance with the law. The Safe Harbor Agreement was declared invalid by the European Court of Justice in October 2015.
For this reason, a successor agreement was adopted, the EU-US Privacy Shield. The Privacy Shield was adopted by the European Commission in July 2016 and was declared invalid by the European Court of Justice on 16.07.2020. This means that, with immediate effect, it is no longer possible for US companies to process personal data of EU citizens on this basis. Since 04 June 2021 the Eu-Commission has new EU standard contractual clauses accepted.
Data transmission to third countries
The transfer of personal data to third countries is generally prohibited. However, a transfer of such data is possible if special measures are taken.
These measures are:
- Implementation of company-wide guidelines that govern data protection within a company and its subsidiaries, so-called Binding Corporate Rules
- The use by the EU of predefined contracts, so-called EU standard contractual clausesto regulate the transfer of personal data with third party companies.