Cross-border data transfers under GDPR

In today’s globalized world it’s unavoidable to transfer personal data belong to an individual with a company established in another country when providing a service or goods, for an example when an individual live in EU ordering few camera equipments from EBay (which established in US) it may possible to ship them directly from China, in that example the personal data need to be shared with organizations established in at least 3 different countries.

GDPR imposes restrictions when transferring personal data belong to an individual in EU soil to an organization established outside the EU. In this post we will look at possible approaches and guidelines that need to be followed during cross-border data transfers to outside the EU. Chapter-5 of the GDPR is dedicated to set out regulations related to cross-border data transfers from EU to outside.

GDPR set out 3 broad approaches to facilitate cross-border data transfers to outside the EU.

1. Based on adequacy decision
2. Based on appropriate safeguards
3. Based on specific derogations

Based on adequacy decision

EU Commission can decide a particular 3rd party country/territory/organization can ensure adequate level of data security, when transferring data to a such country/territory/organization there is no special authorization required.

EU Commission can decide whether a 3rd party country/territory/organization can ensure adequate level of data security after evaluating number of factors such as rule of law, human rights, fundamental right of freedom, independent functioning of supervisory bodies etc. EU maintains list of such approved countries/territories/organizations in “Official Journal of the European Union” and regulatory review latest development of above factors in the context of each country/territory/organization.

Based on appropriate safeguards

It’s legitimate to transfer data out of the EU if the organization receiving the personal data has provided adequate safeguards, following are some of the possible safeguards….

1. A legally agreement between public authorities.
2. Binding Corporate rules (BCR) — agreements within in a corporate group.
3. Model Contracts — Standard data protection clauses in the form of template transfer clauses adopted by the Commission/supervisory authority and approved by the Commission.
4. Compliance with an approved code of conduct approved by a supervisory authority.
5. Certification under an approved certification mechanism.
6. Contractual clauses agreed authorized by the supervisory authority.
7. Provisions inserted into arrangements between public authorities by the supervisory authority.

Based on specific derogations

One of the following approach can also be used for cross-border data transfers from outside to EU.

1. Consent — based on individual’s informed consent on specific cross-border data transfer.
2. Contract — based on a contract between the individual and the organization.
3. Public interest — important reasons of public interest.
4. Legal claims — to exercise or defence of legal claims.
5. Vital interests — vital interests of the individual or other persons, where the individual is incapable of giving consent.
6. According to EU law — intended to provide information to the public on legitimate interest.