The transfer of personal data outside the European Economic Area (EEA) requires careful planning.
The EU’s General Data Protection Regulation (GDPR) sets out provisions that govern the transfer and disclosure of personal data. Information about the different options for ensuring compliance with the data protection requirements when transferring personal data outside the EU/EEA is available on the European Commission’s website. Of all the transfer options, th e two most common mechanisms are possible: an adequacy decision and standard contractual clauses.
If a non-EU country (such as Israel, Japan, New Zealand, Switzerland), a specific region or one or more sectors (such as commercial organisations in Canada) has been deemed by the European Commission to provide an adequate level of protection for personal data, no separate consent is required for the transfer. This is called an adequacy decision.
You can find the European Commission’s adequacy decisions here.
If there is no adequacy decision, data may be transferred in compliance with the standard contractual clauses confirmed by the European Commission.
There are different sets of standard contractual clauses depending on the receiver’s role: controller to controller, and controller to processor. The standard contractual clauses aim to ensure that appropriate safeguards are put in place to provide a similar level of protection for the personal data of European citizens when their data is processed outside the EU/EEA, regardless of the legislation of the recipient country. The standard contractual clauses must be included in the contract as they are without making any changes to the wording. The document that sets out the standard contractual clauses may only be changed by adding information that identifies the contracting parties or is provided in the appendices.
A decision taken by the Court of Justice of the European Union in July further highlights the necessity of assessing, together with the receiver, whether the standard contractual clauses are enough to provide an adequate level of protection for data in the non-EEA country under the GDPR.
Possible additional safeguards may include, for example, the pseudonymisation and the encryption of data. These mechanisms may be used in any case.
Instructions issued by the Data Protection Ombudsman.
Transfer of personal data to the UK
At the moment (19 October 2020), there are open questions concerning data transfers from an EU country to the UK after the transition period after Brexit ends on 31 December 2020.
The EU and the UK may enter into an agreement on their post-Brexit collaboration in October, which is likely to also include information about the level of protection provided to personal data in UK legislation. The content of the possible agreement will not be known until both parties have signed it. The negotiations are underway and the conclusion of such an agreement remains uncertain. There is an alternative solution just in case the agreement is not concluded or approved before the end of 2020.
If the UK retains the existing adequacy mechanisms approved by the EU after the transition period, the European Commission may make an adequacy decision for the UK. However, the European Commission will not be able to make the adequacy decision until the transition period has ended and the content of UK data protection legislation is known. The European Commission is assumed to be already drawing up an adequacy decision, but there is no guarantee that the decision will be confirmed right after the turn of the year.
If you want to be sure that you can continue using the services provided by UK-based data processors/data controllers after the end of 2020, you should include the EU’s standard contractual clauses in the agreement signed with these parties, at least if the agreement is signed before the European Commission makes a possible adequacy decision.
A decision taken by the Court of Justice of the European Union in July further highlighted the necessity of assessing, together with the receiver, whether the standard contractual clauses are enough to provide an adequate level of protection for data in the non-EEA country under the GDPR. There is currently no indication that that UK’s domestic data protection laws would not be aligned with the EU data protection framework. The standard contractual clauses would therefore be enough to enable the transfer of data to the UK after the end of 2020. The standard contractual clauses may already be used, if only to be on the safe side, because the clauses are largely similar to the data protection laws that are currently in force in the UK. After the European Commission makes a possible adequacy decision for the UK, the existing agreements will not have to be updated or revised simply because the standard contractual clauses are included in them.
Possible additional safeguards may include, for example, the pseudonymisation and the encryption of data. These mechanisms may be used in any case.