What is GDPR cross border data transfer?
A cross-border data transfer means moving or sharing personal data from the European Economic Area (EEA) to another jurisdiction. Does your company share personal data with partners, remote workers, suppliers or others outside the EEA? If so, then you should know about GDPR’s strict rules for how companies collect, use and share personal data. These rules exist in order to prevent the personal data of EU citizens from ending up in countries or companies that are not covered by corresponding compliance requirements.
This guide is about what you need to know for compliance before making a cross-border data transfer.
Do you transfer personal data outside the EU?
Indeed, cross-border data transfers are common. Do you, for instance, outsource services related to your customer service, marketing, payroll or IT overseas? In that case, you probably transfer personal data outside the EU. To clarify, collecting personal data directly from a data subject in another country does not count as a cross-border transfer. However, sharing it with a third-party in another country does.
For instance, suppose a web shop collects personal data from someone outside the EEA. At this time, they do not need to worry about cross-border transfer rules. Later, the webshop wants to transfer that customer data to a supplier or a customer service agency outside the EU/EEA. Now, it counts as an international transfer.
When does GDPR allow cross border transfers?
The GDPR establishes the following legal mechanisms for transferring personal data outside the EU:
- Adequacy decisions (pre-approved countries)
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
Let’s discuss each of these briefly. Once you understand your options for legally sharing data overseas, you can assess each transfer on a case-by-case basis. To begin with, look at the country you are transferring to. Then, check whether the EU has decided if its laws provide adequate protection for personal data.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Countries with adequacy decision under GDPR
It is up to the European Commission to decide whether a country offers an adequate level of data protection (i.e., comparable to GDPR’s). This is called an adequacy decision. Once a country has an adequacy decision from the Commission, you can transfer personal data there, without additional safeguards.
Countries seeking an adequacy decision must show that:
- Their national law agrees with GDPR principles for data processing
- Data protection is regulated by an independent public authority
- Subsequent transfers of EU citizens’ personal data to countries without their own adequacy decision will not take place without consent
At this time, the Commission recognises the following non EEA countries as having adequate data protections for cross border transfers:
- Andorra
- Argentina
- Canada (private organisations that fall under PIPEDA)
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- New Zealand
- Republic of Korea
- Switzerland
- United Kingdom under the GDPR and the LED
- United States (private organisations that follow the EU-US Data Privacy Framework)
- Uruguay
Check whether an adequacy decision only applies to specific territories or specific sectors within a country. For example, note that the decisions on Canada and the U.S. are partial adequacy decisions. Therefore, only companies that abide by PIPEDA in Canada and Privacy Shield in the U.S. are adequate.
Basically, countries, territories, and sectors with adequacy decisions are pre-approved by the EU as safe for data transfers. Therefore, you can transfer to regions with adequacy decisions the same way you would transfer data within the EEA. As always, the transfer should comply with the GDPR and you should protect the personal data in transit. Further, you should monitor the situation in the third country and be ready to take appropriate measures if their personal data protection level changes.
But what if you want to share data with someone in another country that is not on this list? In the absence of an adequacy decision, you may still be able to make the data transfer, with appropriate safeguards. Next, let’s talk about some of your options for transferring to countries without adequacy decisions.
Standard Contractual Clauses (SCCs)
Standard Contractual Clauses or SCCs are, in short, a set of pre-written contractual clauses meant to guarantee that data shared overseas maintains a level of protection equivalent to that provided by the GDPR. Anyone can use them, even small businesses. You can tailor them to your specific situation and the nature of your data transfers, then insert them into your contracts.
The clauses set out specific requirements for protecting personal data. For example, data security measures, data subjects’ rights, obligations in case of data breaches, and mechanisms for handling third-party requests for data access. Meanwhile, they provide for the resolution of disputes and the enforcement of the terms of the contract.
Binding Corporate Rules (BCRs)
A multinational company or corporation may set its own rules for protecting personal data when sharing it internationally. Then, they can submit these rules for approval to data protection authorities in the EEA. Such internal rules are called BCRs (Binding Corporate Rules).
In order to get EU approval, the BCRs should provide adequate protection for personal data and be consistent with the principles of the General Data Protection Regulation (GDPR). This means they should cover data subjects’ rights, data security measures, how to handle data breaches, as well as procedures for international data transfers. The company should commit to accept liability and pay compensation in case they violate their own BCRs.
Note that BCRs are for large corporate groups or multinational companies to share personal data between their own affiliates, franchises and/or subsidiaries based in third countries.
Exceptions in GDPR for sending data outside EU
Certain data transfers outside the EU may be permitted without an adequacy decision, SCCs, or BCRs. The most common derogations/exceptions in GDPR for sending data outside the EU are:
- Explicit consent of the data subject. Did you get the person’s specific consent for the overseas transfer? Then make sure you tell the person about transfer risks. Let them know that the GDPR will not protect their personal data in the same way as it would be within the European Union (EU).
- Vital interests of the data subject. Is the data transfer needed to protect someone’s life or vital interests? Note that you should only use this exemption in exceptional circumstances.
- Performance of a contract. Do you need to transfer the data to fulfil a contract? If so, you may be allowed to make the transfer, as long as the data subject is a party to the contract and when there is no other way to fulfil the contract.
- Public interest. Is the transfer necessary for important reasons of public interest? For example, to protect national security or the investigation of a criminal offence?
In review, if you transfer personal data to a country without an adequacy decision, without using SCCs, without BCRs, you must answer yes to one of the questions above.
If you are still not sure you should make the international transfer, seek legal advice. After all, GDPR fines for cross-border transfer violations can be high, up to €20 million or 4% of your annual global turnover.
Sending data outside EU regularly?
According to GDPR, if you plan on sending data outside EU regularly, you should say so in your privacy policy. Therefore, you should list any countries you send personal data to and why. Explain whether those countries are pre-approved by the EU Commission. In case they are not, describe the safeguards you will use to make sure data gets protection. Keep the language simple, clear and easy to understand.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Other countries with cross border transfer rules
Meanwhile, EU is not the only region with strict rules for international data transfers. At this time, some of the data regulations that include cross-border data transfer protection laws include:
- APP Australia’s Privacy Principles
- APPI Japan’s Personal Information Protection Act
- FADP Switzerland’s Federal Act on Data Protection
- PIPL China’s Personal Information Protection Law
- PIPEDA Canada’s Personal Information Protection and Electronic Documents Act
Certainly, countries with strict data protection laws do not want their citizens’ data to end up abroad without protection. So, check your country’s laws. Make sure that the third-countries and companies you share people’s data with have a high level of data protection that is comparable to laws in your jurisdiction.
Send data safely to anyone in the world
Remember, even if a cross border transfer is legal, you are still responsible for keeping the data safe in transit. A secure mail add-in makes it easy to send data safely, regardless of where the other person is in the world. Data you send with ShareSimple is always kept in a secure folder on EU servers.
Learn more about ShareSimple.
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →