Transfers to third countries

Controllers and processors must comply with the conditions set out in the GDPR to ensure that the level of protection guaranteed by the GDPR is not undermined. Transfers must not take place unless they are in full compliance with the GDPR.

   The controller or processor must document the safeguards put in place as part of the accountability requirements.

The conditions for transfers

Transfers with an adequacy decision

Transfers to countries or international organisations with an adequacy decision from the EU do not require specific authorisation by a supervisory authority. 

The existing adequacy decisions, including that of the Isle of Man, will remain valid until they are amended, replaced or repealed by the EU Commission. A review of the existing decision is anticipated shortly after the GDPR becomes enforceable at which time the adequacy of compliance with the GDPR (not the old Directive) will be assessed. This timescale is supported by the Opinion of Article 29 Data Protection Working Party on the adequacy of the protection for personal data in the proposed EU-US Privacy Shield.

However, as a result of the Schrems judgment in October 2015, controllers or processors transferring personal data to an existing adequate third country must still consider whether, in their view, the third country does, in fact, provide an appropriate level of protection for the particular data transfer.   

When the GDPR comes into force, this will become an even more important consideration for controllers or processors transferring personal data to the Island.  They must be satisfied that equivalent protection to that which is required under the GDPR, not the existing Directive, is guaranteed as the higher bracket of administrative fines for non-compliance could be imposed. 

Transfers by way of appropriate safeguards

Where no adequacy decision has been made transfers can be made only if the controller or processor has “adduced appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.

Specific authorisation by a supervisory authority is not required if appropriate safeguards are met.  Such safeguards must include compliance with the general principles relating to processing, the principles of data protection by design and by default.

The following safeguards are specified:

Transfers by way of binding corporate rules

Binding corporate rules (BCRs) can be approved by EU supervisory authorities once the GDPR is in force.  Details about the specifications and requirements of BCRs are set out in Article 43.

Specific circumstances

If the transfer does not meet any of the conditions it can still take place if one of the following circumstances applies (* not applicable to public authorities in exercise of their public powers):

Is necessary

In any other case* a transfer can only take place if it:

  The controller must document the assessment undertaken as well as the safeguards implemented in the records of processing activities as part of the accountability obligations and provide details about the transfer and the compelling legitimate interests to the data subject and the supervisory authority. 

Transfers or disclosures ordered by a third country

Any judgment of a court, tribunal or administrative authority of a third country ordering a disclosure or transfer of personal data to that third country may only be recognised or enforceable if there is an international agreement (for example a legal assistance treaty) in place between the third country and the Union or Member State.