Skip to content
Home » GDPR International Transfer of Data post-Privacy-Shield Dismissal

GDPR International Transfer of Data post-Privacy-Shield Dismissal

General Guidance on how to use this document

This document is designed for organizations who are engaged in transferring personal information outside the EEA, and wish to do so in a manner compliant with the GDPR requirements. 

Pay attention: the actions and requirements stated in this document are subject to constant update by the European Commission (Data Protection Authorities), hence require periodical revisits. 

The procedures below are designed in an “if-then” format, meaning, if you meet one of the steps described below, you can stop there and transfer the data in hand to the processor or controller in the non-EEA country, otherwise, you can continue to the following step

Procedures to demonstrate the legal basis for the international transfer of data outside the EEA (GDPR):

Step 1:   Determine the destination country or countries and the ‘restricted’ data in hand. The determination should be based on the location of the entity to which you transfer data (whether it is your processors, e,g, AWS, Google Analytics etc., or controllers of data).

Step 2: Establish whether an adequacy decision applies (list of countries and international organizations for which an adequacy decision applies is available here) – Art.45

Step 3:  Implement appropriate safeguards. In the event that the country or one or more of the countries to which personal data is to be transferred is not subject to an adequacy decision from the EC, appropriate safeguards must be put in place to provide for data subjects’ rights and enforceable legal remedies – Art. 46. Examples (Pay attention – the status constantly changes and the EC publishes updates in the Official Journal of the European Union):

  • Binding Corporate Rules (Art. 47) – required in a corporate structure of groups – might take a long while to achieve
  • Using standard data protection clauses adopted either by the European Commission or the relevant supervisory authority (should be attached to your DPA with any of your data processors outside of the EEA)
  • via an approved code of conduct (Art. 40) (submitted and approved by SA/DPA)
  • via a certification scheme (Privacy Shield had been dismissed by the CJEU, however, ISO27001 and other certificates can accommodate safeguard requirements in some cases, and recommended to be required from your processor that are based outside of the EEA) – Art 42

Step 4: Specific derogations. In the event that an adequacy decision does not apply to the destination country and appropriate safeguards cannot be put in place via the above methods, a transfer of personal data may only be made internationally if one of the following situations applies (Art. 49(1)(1)):

  • the data subject explicitly consents to the transfer, having been informed of the risks (opt-in); Or
  • the transfer is necessary to meet contractual commitments to the data subject or the data subject asks for the transfer prior to contract; Or
  • the transfer is in the data subject’s interests with regard to a contract; Or
  • it is for important reasons of public interest (recognized by law); Or
  • the transfer is to do with a legal claim
  • the data subject’s vital interests are protected by the transfer and they are unable to consent; Or
  • the transfer is made from a public register

Step 5: Exceptions Transfers. If none of the conditions set out in this procedure apply then an international transfer of personal data may only take place if all of the following conditions apply (Art.49(1)(2)):

  • The transfer is not repetitive; and
  •  A limited number of data subjects is involved; and
  • It is for compelling legitimate interests which are not overridden by those of the data subject; and 
  • All of the circumstances of the data transfer have been assessed; and
  • Suitable safeguards are provided, based on the assessment; and
  • The assessment and the safeguards are documented; and
  • The supervisory authority is informed of the transfer; and
  • The data subject is informed of the data transfer and the reasons for it; and
  • The data subject is informed about his/her rights under the GDPR

If you reach this point without finding a provision that permits the restricted transfer, you will be unable to make that restricted transfer in accordance with the GDPR. Otherwise:

Step 6: Putting the Transfer in Place. Once the legal basis of the transfer of personal data has been established and approved, the mechanics of achieving the transfer should be addressed.

General Requirements:

  • Any assessment shall be documented, so as any safeguards placed (Art. 49(6))
  • Any safeguard placed must be outlined in a legally binding instrument (DPA clarifications)

For practical tools and questions: info@entero.io

Tags:

Subscribe to our list

Your subscription is subject to our privacy policy

© 2022 All Rights Reserved to Entero Strategies Ltd.

Application Form

At this point we onboard founding members only. To apply as a founding member please complete and submit the form and we will get back to you within 10 days.

* Submission of application form does not constitute a membership approval

small_c_popup.png

SIMPLIFIED COMPLIANCE WORKSHOPS

Request to exercise privacy right

The EU and the EK GDPR

Each of the rights listed below may be exercised by submitting this request electronically, by clicking on the “Submit” button, or, by sending the completed form by email to dpo@avanquest.com, or by post to XXX.

Pay attention:

  • Fields marked with * are required for the application to be validated and processed.
  • If you granted your consent for the processing of personal data that is subject to your request via either channel, (complete)