Transfers to third countries
Controllers and processors must comply with the conditions set out in the Applied GDPR to ensure that the level of protection guaranteed is not undermined. Transfers must not take place unless they are in full compliance with the Applied GDPR.
The controller or processor must document the safeguards put in place as part of the accountability requirements.
The conditions for transfers
Transfers with an adequacy decision
Transfers to countries or international organisations with an adequacy decision from the EU do not require specific authorisation by a supervisory authority.
The existing adequacy decisions, including that of the Isle of Man, will remain valid until they are amended, replaced or repealed by the EU Commission. A review of the existing decision is anticipated shortly after the GDPR becomes enforceable at which time the adequacy of compliance with the GDPR (not the old Directive) will be assessed. This timescale is supported by the Opinion of Article 29 Data Protection Working Party on the adequacy of the protection for personal data in the proposed EU-US Privacy Shield.
However, as a result of the Schrems judgment in October 2015, controllers or processors transferring personal data to an existing adequate third country must still consider whether, in their view, the third country does, in fact, provide an appropriate level of protection for the particular data transfer.
Transfers by way of appropriate safeguards
Where no adequacy decision has been made transfers can be made only if the controller or processor has “adduced appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.
Specific authorisation by a supervisory authority is not required if appropriate safeguards are met. Such safeguards must include compliance with the general principles of data protection and the principles of data protection by design and by default.
The following safeguards are specified:
- Legally binding and enforceable instrument between public authorities or bodies with corresponding duties or functions
- Binding corporate rules
- Adoption of the Commission’s standard data protection clauses (or those of an EU supervisory authority approved by the Commission)
- An approved code of conduct or certification, together with binding and enforceable commitments to apply those safeguards, including the rights, is followed.
Adoption of the Commission’s standard data protection clauses (or those of an EU supervisory authority approved by the Commission)
The European Commission has approved two sets of standard data protection clauses which can be inserted into a contract and can offer sufficient safeguards on data protection for the data to be transferred internationally. These clauses can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
New standard clauses are yet to be created.
Transfers by way of binding corporate rules
Binding corporate rules (BCRs) can be approved by EU supervisory authorities (but not by the Information Commissioner). Details about the specifications and requirements of BCRs are set out in Article 43 of the EU GDPR.
If the transfer does not meet any of the conditions it can still take place if one of the following circumstances applies (* not applicable to public authorities in exercise of their public powers):
- Explicit consent has been given to the proposed transfer by the data subject after having been informed of the associated risks *
- For the performance of a contract between the data subject and controller, or the implementation of pre-contractual measures taken at the data subject’s request *;
- For the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person *;
- For important reasons of a public interest recognised in law;
- For the establishment, exercise or defence of legal claims;
- In order to protect the vital interest of the data subject or other persons where the data subject is physically or legally incapable of giving consent.
In any other case* a transfer can only take place if it:
- Is not repetitive; and
- Concerns only a limited number of data subject; and
- Is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the rights and freedoms of the data subjects; and
- The controller has adduced suitable safeguards
The controller must document the assessment undertaken as well as the safeguards implemented in the records of processing activities as part of the accountability obligations and provide details about the transfer and the compelling legitimate interests to the data subject and the supervisory authority.
Transfers or disclosures ordered by a third country
Any judgment of a court, tribunal or administrative authority of a third country ordering a disclosure or transfer of personal data to that third country may only be recognised or enforceable if there is an international agreement (for example a legal assistance treaty) in place between the third country and the European Union (including the Isle of Man) or Member State.