🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

The rules provided for by the GDPR for the transfer of personal data outside the European Union

Home GDPR The rules provided for by the GDPR for the transfer of personal data outside the European Union

The GDPR establishes the principle that personal data must remain, as much as possible, in the European Union. But there are exceptions to this principle. The main thing is to ensure a uniform level of protection throughout the processing, regardless of the location of the data and the actor processing it.

Survey response: According to the GDPR, can personal data be transferred outside the EU?

During a survey carried out on December 14 on our LinkedIn page, we asked you if personal data can be transferred outside the European Union.
You were strong! Out of 317 voters, 28% of you voted no and 72% of you voted yes. Indeed, the 2 answers are correct but need to be qualified.

In principle, personal data cannot be transferred but several exceptions allow exceptions to this principle.

What are the exceptions for transferring data outside the EU?

The GDPR identifies the scenarios in which data may be transferred outside the EU. These include the following assumptions:

  • The destination country part of the list of countries considered suitable by the European Commission. That is, as having a sufficient level of protection through their data protection regulations.
    These countries are Switzerland, Argentina, Guernsey, Isle of Man, New Zealand, Jersey, Faroe Islands, Andorra, Israel, Uruguay and Japan.
  • The company transferring the data has set up binding corporate rules (or BCR). That is to say, it has an internal policy or code of conduct relating to the protection of data when transferred to a third country. BCRs make it possible to offer adequate protection to data transferred from the European Union to third countries within the same company or group. However, the guarantees provided by the BCRs and the legislation of the third country concerning data protection must be of a sufficient level according to the European Commission.
  • THE standard contractual clauses (or CCT) are signed by both companies. CCTs are model contractual clauses which govern the transfer of personal data to a third country. They are provided by the European Commission. Their aim is to facilitate the task of data controllers in the implementation of transfer contracts. CCTs ensure a contractual relationship that respects personal data.
  • The company can also write one administrative arrangement, a legally binding text or one certification mechanism approved to ensure a sufficient level of protection of the data of the persons concerned.

If the country to which the data is transferred is not adequate or no aforementioned guarantee is put in place, the transfer may be possible if:

  • The person concerned has expressly consented the transfer of personal data.
  • The transfer proves necessary under one of the following conditions:
    • Safeguarding the person's life;
    • Safeguarding the public interest;
    • Compliance with obligations to ensure the establishment, exercise or defense of a legal right;
    • Consultation, under regular conditions, of a public register which, by virtue of legislative or regulatory provisions, is intended for public information and is open to consultation by the public or any person demonstrating an interest legitimate
    • The execution of a contract between the controller and the interested party, or pre-contractual measures taken at the latter's request;
    • The conclusion or performance of a contract concluded or to be concluded, in the interest of the data subject, between the controller and a third party.

In the case of the United States, Safe Harbor had been in effect since 2000. This agreement concluded with the European Union aimed to authorize, under certain conditions, transfers of European data to the United States. It was invalidated by the Court of Justice of the European Union.
The Privacy Shield replaced this agreement, however it was also invalidated by the CJEU. While awaiting a new agreement, the CNIL recommends:

  • To evaluate the legislation of the third country to which the data is transferred, here the United States
  • To implement additional measures so that data is sufficiently protected (for example CCTs).

Once you have identified whether any of the above conditions apply, the transfer can be made. The challenge of transfers outside the EU also lies in informing people.
You must indeed be transparent about data processing throughout the processing. Individuals must be clearly informed, for example in your external personal data protection policy or confidentiality policy. This information must be easily accessible and understandable.

Data Comply One (formerly Mission RGPD) simply guides you with your transfers outside the European Union

You cannot find out about your transfers outside the European Union? Don't have time to find out? Or do you lack the means to be compliant?
With Data Comply One (formerly Mission RGPD) you are guided to document and answer all the necessary transfer questions. Particularly in processing and subcontracting registers.
Don't waste any more time, it's so simple!

Request a demo
 
Other articles
on the same subject