GDPR: Data transfers outside the EU – what are the rules?

This blog has been updated to reflect industry developments. Originally published Jan 04, 2018.

The EU General Data Protection Regulation (GDPR) restricts transfers of personal data to countries outside the EEA.

These restrictions apply to all transfers, no matter the size of transfer or how often you carry them out.

So how do you make a restricted transfer in accordance with the GDPR? We explain in this post.


How do I know if I’m making a restricted transfer?

A transfer is defined as restricted if:

1) The GDPR applies to your processing of the personal data you are transferring.

For guidance on what constitutes personal data, see: GDPR: How the definition of personal data has changed.

2) You are sending personal data (or making it accessible) to a receiver to which the GDPR does not apply. This usually applies to recipients located in a country outside the EEA.

3) The receiver is a separate organisation or individual. This includes transfers to another company within the same corporate group.


How to make a restricted transfer in accordance with the GDPR

In order to comply with the GDPR, you must take the following factors into consideration:

1) Is the restricted transfer covered by an ‘adequacy decision’?

If you are making a restricted transfer, you need to know whether it is covered by an EU Commission “adequacy decision”.

The ICO describes the ‘adequacy decision’ as:

…a finding by the Commission that the legal framework in place in that country, territory, sector or international organisation provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data.

2) Is the restricted transfer covered by appropriate safeguards?

If there is no ‘adequacy decision’ for your restricted transfer, you need to find out whether you can make the transfer subject to ‘appropriate safeguards’ listed in the GDPR.

These ‘appropriate safeguards’ are:

  • A legally binding and enforceable instrument between public authorities or bodies.
  • Binding corporate rules.
  • Standard data protection clauses adopted by the Commission.
  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission.
  • An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA.
  • Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA.
  • Contractual clauses authorised by a supervisory authority.
  • Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by a supervisory authority.

3) Is the restricted transfer covered by an exception?

If you are making a restricted transfer that isn’t covered by an ‘adequacy decision’ or the appropriate safeguards listed above, you can only the transfer if it is covered by one of the eight  ‘exceptions’ set out in Article 49 of the GDPR.

These exceptions are:

Exception 1: The individual given his or her explicit consent to the restricted transfer.

Exception 2. You have a contract with the individual and the restricted transfer necessary for you to perform that contract.

OR

You are about to enter into a contract with the individual, and the restricted transfer necessary for you to take steps requested by the individual in order to enter into that contract.

Exception 3: You have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred, and that transfer necessary for you to either enter into that contract or perform that contract.

Exception 4: You need to make the restricted transfer for important reasons of public interest.

Exception 5: You need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim.

Exception 6: You need to make the restricted transfer to protect the vital interests of an individual. He or she must be physically or legally incapable of giving consent.

Exception 7: You are making the restricted transfer from a public register.

Exception 8: you are making a one-off restricted transfer and it is in your compelling legitimate interests.


Pseudonymisation and encryption

The GDPR advises organisations to pseudonymise and/or encrypt all personal data.

This won’t stop malicious actors accessing the information altogether, but it will make it much harder for them.

According to Gemalto’s Breach Level Index, only 4% of data breaches since 2013 have involved encrypted data.

Pseudonymisation masks data by replacing identifying information with artificial identifiers.

Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.

Encryption also obscures information by replacing identifiers with something else.

But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.

Pseudonymisation and encryption can be used simultaneously or separately.


Implementing encryption

Neither encryption nor pseudonymisation require technical knowledge to implement.

The difficulty for organisations is in putting in place suitable security policies and procedures and making staff aware of their obligations.

Our GDPR Staff Awareness E-learning Course is a flexible way of introducing your staff to the Regulation’s compliance requirements.

It covers the scope of the Regulation, the key data protection roles, the principles for collecting and processing personal information, and how to apply the requirements to your organisation.

This course is suitable for all staff, and with the cost of data breaches rising every year, it’s essential that everyone in your organisation follows best practice for staying secure.