International data transfers
The GDPR places restrictions on the transfer of personal data into and out of the EU (Norway, Liechtenstein and Iceland are outside of the EU, but inside the EEA and it is not entirely clear at this point how they will be treated under the GDPR). Transfers can take place if they are:
- to a country on the white-list
- to a US organisation which has committed to the ‘Privacy Shield’
- made pursuant to a set of Model Clauses
- made pursuant to binding corporate rules
- made to an importer who has signed up to an approved code or obtained an approved certification
Transfers are also possible if one of the following individual derogations apply:
- the transfer is made with the data subject’s explicit consent
- the transfer is necessary for the performance of a contract with the data subject
- the transfer is required on important public interest grounds or for legal claims
- the transfer is necessary to protect the vital interests of the data subject
- the transfer is made from a public register
- the transfer is made under the new minor transfer exemption
Personal data can be transferred to countries on the ‘white-list’. These are countries that the European Commission has identified as providing an adequate level of protection for personal data. This list comprises the following 11 countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
Transfers are also permitted to organisations in the US which have committed to the EU / US ‘Privacy Shield’ although these organisations are not technically considered to be on the white-list.
The GDPR continues to allow for transfers of personal data based on standard data protection clauses (the Model Clauses) adopted by the European Commission. The Commission has previously issued two sets of standard Model Clauses for transfers from data controllers to data controllers established outside the EU (C2C) and one set for the transfer to data processors established outside the EU (C2P) and these will continue to apply under the GDPR. One of the key improvements introduced by the GDPR is the abolition of the current process which requires certain transfers based on standard Model Clauses to be notified to, or approved by, data protection authorities.
Use of binding corporate rules
Binding corporate rules (BCRs) are a set of binding rules adopted by multinational organisations and approved by national regulators to ensure the protection of personal data in multiple jurisdictions. BCRs have been in place for some time but the GDPR finally places BCRs on a statutory footing and also sets out uniform criteria for the approval of BCRs across the EU and removes the obligation to obtain additional approval from other data protection authorities for transfers of personal data based on BCRs. BCRs tend only to be used by very large companies with significant volumes of data, as the time and expense involved in the process is significant.
Operations across multiple EU member states
Where businesses operate across multiple EU member states, they will want to identify their lead data protection supervisory authority. This will apply where:
- a business is established in two or more EU member states and processes personal data in relation to its activities in those member states
- a business is only established in one EU member state but processes personal data in a way which substantially affects, or is likely to substantially affect, data subjects in more than one EU member state
In these circumstances the lead data protection supervisory authority will be the main data protection regulator (i.e. the one-stop-shop) that the business deals with in relation to its GDPR compliance issues such as registering its DPO, notifying data security breaches, handle data protection complaints and undertake enforcement activity relating to cross-border processing. To avoid ‘forum-shopping’ the EU working party tasked with data protection guidance has published Guidelines for identifying a lead supervisory authority.
Post-Brexit the rules on international data transfers will become even more relevant to the UK because the UK will no longer be an EU member state (for more information see “Impact of Brexit”)