DPC Guidance on Data Transfers to 3rd CountriesAugust 2022
The Data Protection Commissioner (‘DPC’) reminds entities that the transfer of personal data from the EU to controllers and processors located outside the EU in third countries (i.e. any country outside the European Economic Area (‘EEA’)), while necessary for international trade and international co-operation, should not undermine the level of protection of the individuals concerned.
Such transfers to third countries or international organisations should be done in full compliance with Chapter 5 (Articles 44 – 50) of the General Data Protection Regulation (the ‘GDPR’).
Article 45 – Transfers on the basis of an adequacy decision
The DPC notes that the first thing to consider when transferring personal data to a third country is if there is an “adequacy decision” – this is where the European Commission has decided that a third country or an international organisation has an adequate level of data protection taking into account factors such as the laws, respect for human rights and freedoms, national security, data protection rules, the existence of a data protection authority and binding commitments entered into by the country in respect of data protection.
The effect of such an adequacy decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary, effectively meaning the transfer is the same as if it was carried out within the EU.
Article 46 – Transfers subject to appropriate safeguards
Where there is no adequacy decision, the DPC highlights that the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:
- Standard data protection clauses – these are model data protection clauses that have been approved by the European Commission and contain contractual obligations on the Data Exporter and the Data Importer and rights for the individuals whose personal data is transferred.
- Binding corporate rules (‘BCR’) – these rules form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's EEA entities to the group’s non-EEA entities. There are two types of such rules which can be approved - BCR for Controllers which are used by the group entity to transfer data that they have responsibility for such as employee or supplier data; and BCR for Processors which are used by entities acting as processors for other controllers and are normally added as an addendum to a Service Level Agreement contract.
- Approved Codes of Conduct - The use of Codes of Conduct as a transfer tool, under specific circumstances, has been introduced by the GDPR in Article 40(3). While voluntary, they set out specific data protection rules for categories of controllers and processors providing a detailed description of what is the most appropriate, legal and ethical behaviour within a sector.
- Approved certification mechanisms - Article 42(2) of the GDPR allows for certification mechanisms by an independent body of a written assurance (a certificate) that the product, service or system in question meets specific requirements, may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries which are binding and safeguards data subject rights.
For further information on the Guidance, please see the link below: Transfers of Personal Data to Third Countries or International Organisations | Data Protection Commissioner