Do you conduct international data transfers? The European data protection legal framework restricts them unless meeting one of the conditions it sets out. Follow these guidelines and transfer data outside the EU in compliance with the GDPR.
What are international data transfers
International data transfers are defined as cross border flows of personal data from a Member State of the European Economic Area (EU Member States and Liechtenstein, Iceland and Norway) to a third country or international organisation, as well as further transfers from that third country or organisation to another country.
However, not all communications of data out of the EU territory must be considered international data transfers in the eyes of the European data protection framework, which makes necessary to distinguish transfer from transit. Where personal data is simply enrouted through different countries but the transfer is from an EEA country to another EEA country, personal data will have transited by third countries but the transfer is from an EEA country to another EEA country.
Sometimes, EU Member States local law may also define what an international transfer of personal data is and precise its meaning. For instance, in Spain the Royal Decree implementing the Organic Law 15/1999, of 13 December, of protection of personal data, defines international data transfers as transfers of data out of the territory of the EEA, regardless of whether that data is communicated to a data controller or processor.
What are cross-border data transfers?
The GDPR defines cross-border processing as:
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
From the above definition of cross-border processing it results that cross-border data transfers are:
- transfers of personal data from and to different establishments of the controller or processor, all located within the EU, or
- transfers of personal data from data subjects which are in different EU Member States to the controller or processor establishment which is based in a EU Member State.
Cross-border data transfers are therefore different from international data transfers and are not subject to any of the restrictions or conditions explained below.
How to carry out international transfers of personal data
To transfer personal data internationally, the GDPR Article 44 imposes on the controller and the processor the obligation to comply with the conditions of Chapter V of the Regulation. The transfer may be executed when:
- there is an adequacy decision or;
- appropriate safeguards have been granted or;
- binding corporate rules (BCR) were drafted and approved or;
- failing that, you can apply a derogation.
Notwithstanding the above, prior to verifying whether you meet the conditions to carry out international data transfers, you should check whether or not the gdpr applies to you or that specific processing activity.
Transfers of data outside the EU with an adequacy decision
The EU Commission may decide that a third country, a territory or one or more specific sectors within that third country, or an international organisation, guarantee an adequate level of data protection. In that case you may carry out international data transfers to that country or organisation without requiring any special authorisation.
To date, the countries that have been recognised as offering an adequate level of personal data protection are the following:
- Switzerland, in 2000;
- Canada, in 2002;
- Argentina, in 2003;
- Guernsey, in 2003;
- Isle of Man, in 2004;
- Jersey, in 2008;
- Faroe Islands, in 2010;
- Andorra, in 2010;
- Israel, in 2011;
- Uruguay, in 2012;
- New Zealand, in 2012;
- United States, in 2016; and
- Japan, in 2019.
Regarding transfers of personal data to Canada, these are only covered as they are regulated by the Canadian Data Protection Act PIPEDA (Personal Information Protection and Electronic Documents Act).
Concerning the US adequacy decision, it only covers entities certified under the EU-US Privacy Shield. The list of certified entities can be accessed on the website of the Privacy Shield.
If the entity to which you envisage exporting personal data is not established on a country recognised by an adequacy decision, or that adequacy decision does not cover your transfer, then you can still transfer personal data if, and only if, you offer appropriate safeguards.
International data transfers offering appropriate safeguards
In the absence of an adequacy decision, you may transfer personal data to a third country or international organisation by providing appropriate safeguards, on condition that you make available enforceable data protection rights and effective legal remedies for data subjects.
The GDPR establishes different safeguards and depending on their requirements, these can be classified between those that require authorisation by the supervisory authority and those that do not.
Safeguards that do not require authorisation
They are listed in Article 46.2 of the GDPR and are the following:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules;
- standard data protection clauses adopted by the Commission;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission;
- a code of conduct;
- a certification mechanism.
In relation to the standard data protection clauses adopted by the Commission, as of today there are the following:
For transfers between controllers:
- Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, and
- Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.
For transfers controller to processor:
Safeguards that do require authorisation
The following measures will also be considered as appropriate safeguards and serve the purpose of transferring personal data outside of the EU insofar as you have previously obtained authorisation by the supervising authority:
- contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation, or;
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
International transfers of data within the corporate group: binding corporate rules (BCR)
Article 4.20 of the GDPR defines the binding corporate rules as personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
However, to constitute an appropriate safeguard BCRs require approval by the supervisory authority in accordance with the consistency mechanism, which is a process that verifies the compliance with all the requirements set out in Article 47, which might proof quite burdensome.
The requirements referred above include, but are not limited to, the necessity to be legally binding and apply to and be enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees. They shall also expressly confer enforceable rights to data subjects with regard to the processing of their personal data.
In addition, for their approval it is also mandatory to comply with the Working Documents of the Article 29 Working Party of Directive 95/46/EC and with any other regulations that may be applicable within the member State of the supervisory authority whose approval is required.
Derogations for specific situations
In the absence of an adequacy decision or of appropriate safeguards, including BCRs, international data transfers may still take place where meeting one of the following conditions:
- the data subject has given their informed and express consent to the proposed transfer;
- it is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures;
- it is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party:
- it is necessary for important reasons of public interest;
- it is necessary for the establishment, exercise or defence of legal claims;
- it is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is incapable of giving consent; or
- it is made from a register whose purpose is to provide information to the public and which is open to consultation either by the public in general or by any person with legitimate interest.
Last resource to conduct data transfers outside the EU
Finally, where an international transfer cannot be based on any of the foregoing, the GDPR sets forth several conditions which, where applicable, they will still enable you to transfer personal data outside of the EU or the EEA territory. These are the following:
- It is not repetitive;
- It concerns only a limited number of data subjects;
- It is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject; and
- the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
In addition, when relying on this last resource you are also required to give notice of the transfer to the supervisory authority and to data subjects, thus providing the mandatory information set out in GDPR Articles 13 and 14 and the compelling legitimate interests pursued.
Examples of international data transfers
File storage and hosting
On a higher level, a website is just a set of files stored in a server that are transferred to an Internet user when requested. If the server where these files are stored is located in a country outside of the Economic European Area, then all personal data included in the website will be transferred to that third country.
And the same applies where a company transfers has its servers and stores personal data outside the EEA, or transfers that data to the parent company which is located on a third country.
Content published on blogs or websites
Websites, blogs or portfolios make information available to a public. Where that website page is open to anyone and the website’s information includes personal data, chances are you are transferring data out of the EU.
Why? Because every time a user makes a request to see the content of your website you send that data to that user and, when the user is located on a third country, you will transfer the personal data to that third country and therefore conduct an international data transfer.
Gmail and other email service providers
The way Gmail and other email cloud services works entail that your mails will be received, stored and send from an external server, the same to which you also connect every time you request to see our use your inbox.
Amongst that information there are, without any doubt, personal data, which include for example, the email address from the sender and the recipient where these identify individuals and not legal entities, the message’s metadata and the content where that content gives information about an individual.
When the server is located in a third country or international organisation, like Google, in the US, for Gmail (gmail.com), or Microsoft, also in the US, for Outlook (outlook.com, live.com, hotmail.com and msn.com), you will be transferring personal data out of the EU.
Sometimes these big tech corporations are established in different countries and the controller entity which will process your personal data is not where their headquarters are located (the US in the previous example), but another company that they have established in European soil.
This is something to also take into account, because if the controller entity is based in European territory and it does not transfer the data overseas back to its headquarters then there might not be any international data transfers.
Whatsapp, Skype and other instant message and video call services
Name and surnames, phone numbers, email addresses, time and date of the communication and content of the message are examples of personal data which are recorded by the companies which offer these services.
In the case of WhatsApp, company of the Facebook group, the services will be rendered by WhatsApp Inc (US company) or by WhatsApp Ireland Limited (Irish company), depending on where your place of residence.
This could mean that if you reside in the EU then the company providing you the services is the Irish company and therefore you are not conducting international data transfers.
However, since WhatsApp shares your information with the other companys of the group Facebook using that application would mean that you are transferring personal data out of the EEA.
Since WhatsApp shares your information with the other companies of the Facebook group, using WhatsApp involves transferring personal data outside the EEA.
When it comes to Skype, this is a product of Microsoft and, in the same way as Outlook it also involves transferring your personal data and contacts to the US.
MailChimp and other marketing platforms
Using marketing platforms to manage your subscriber lists and send advertising may also entail international data transfers where the companies offering these services are located out of the territory of the EEA.
This is the case, for example, with MailChimp, which is a product of the US company Rocket Science Group LLC.
MailChimp will process the personal data that you communicate them about your subscribers, such as first and last names, email addresses and phone numbers, as well as the data that you require in the contact forms. In addition, MailChimp also collects data of the devices and applications that your subscribers use to open emails, as well as data about their interactions with these emails, for instance, at what date and time they opened the message or how they browse the Internet.