Cross-border data transfers under GDPR

In today’s globalized world it’s unavoidable to transfer personal data belong to an individual with a company established in another country when providing a service or goods, for an example when an individual live in EU ordering few camera equipments from EBay (which established in US) it may possible to ship them directly from China, in that example the personal data need to be shared with organizations established in at least 3 different countries.

GDPR imposes restrictions when transferring personal data belong to an individual in EU soil to an organization established outside the EU. In this post we will look at possible approaches and guidelines that need to be followed during cross-border data transfers to outside the EU. Chapter-5 of the GDPR is dedicated to set out regulations related to cross-border data transfers from EU to outside.

GDPR set out 3 broad approaches to facilitate cross-border data transfers to outside the EU.

  1. Based on adequacy decision

Based on adequacy decision

EU Commission can decide a particular 3rd party country/territory/organization can ensure adequate level of data security, when transferring data to a such country/territory/organization there is no special authorization required.

EU Commission can decide whether a 3rd party country/territory/organization can ensure adequate level of data security after evaluating number of factors such as rule of law, human rights, fundamental right of freedom, independent functioning of supervisory bodies etc. EU maintains list of such approved countries/territories/organizations in “Official Journal of the European Union” and regulatory review latest development of above factors in the context of each country/territory/organization.

Based on appropriate safeguards

It’s legitimate to transfer data out of the EU if the organization receiving the personal data has provided adequate safeguards, following are some of the possible safeguards….

  1. A legally agreement between public authorities.

Based on specific derogations

One of the following approach can also be used for cross-border data transfers from outside to EU.

  1. Consent — based on individual’s informed consent on specific cross-border data transfer.

Integration and Identity Architect & PMC Member @ The Apache Software Foundation, was a Director @ WSO2

Integration and Identity Architect & PMC Member @ The Apache Software Foundation, was a Director @ WSO2