Mikel Recuero Linares (UPV/EHU)
This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist, (HR DPA)
The GDPR does not expressly define what is meant by a transfer of data to third countries or international organizations (hereinafter ‘international transfer’). However, the regime for international transfers is explicitly laid down in Article 44 to 50 of the Regulation. Therefore, the definition of international transfer has to be inferred by assessing each concept individually, which will result in the following definition:
The processing operation whereby a controller or a processor within the EEA (‘data exporter’) transfers (or gives access to) personal data to a controller or processor outside the EEA (‘data importer’) or an international organization. |
These transfers are perfectly acceptable and often necessary, but they should not undermine the level of protection of the concerned individuals given in the EU or granted by the GDPR. Therefore, transfers to third countries or international organizations should be done in full compliance with Chapter V of the GDPR.
Requirements
Transfers of personal data to third countries and international organisations may only be carried out:
- Where the controller or processor has complied with the other provisions of the GDPR[1]. Prior to carrying out the international transfer, provisions and requirements under the GDPR must also be complied with. In addition to the specific rules of Chapter V applicable to data transfers, the data importer and the data exporter will have to comply with “the other provisions of this Regulation” (e.g. general principles, legal basis, derogations for the processing of sensitive data, etc.).
- Where specific conditions laid down relating to the transfers of personal data are complied with by the controller or processor. This can be carried out, mainly, through three instruments, in this exact order:
- These principles and requirements will not only apply to the first data transfer, but also to onward transfers to other controllers or processors in the same or another third country or international organization[2].
A) Transfers on the basis of an adequacy decision
Firstly, a transfer can only be carried out where it is covered by an adequacy decision. This decision is a ruling by the European Commission that the legal framework in place in that country, territory, sector or international organization provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data[3]. An “adequacy decision” is an implementing act by the Commission[4] adopted in accordance with an examination procedure[5] and subject to a periodic review.
The adoption of an adequacy decision involves:
- a proposal from the European Commission;
- an opinion of the European Data Protection Board (“EDPB”);
- an approval from representatives of EU countries; and
- The adoption of the decision by the European Commissioners.
The aim of this decision is therefore to assess whether a country, territory, sector or international organization provides an ‘adequate’ level of protection for individuals’ rights and freedoms (see “Data Subject Rights” section in the General Part of these Guidelines). Moreover, Article 45(2) of the GDPR lists the elements that the Commission shall, in particular, take into account when assessing the adequacy of the level of protection in a third country or international organization.
The benefits of relying on adequacy decisions for carrying out international transfers are obvious. The decision will have EU-wide effect[6] and no specific authorization will be required[7]. However, this mechanism also poses several shortcomings:
- There are very few countries with valid adequacy decisions in force[8].
- The adequacy decisions in force do not necessarily apply to and / or cover all processing operations and sectors.
- The case law of the Court of Justice of the European Union has significantly diminished the robustness and trust of these tools. Specific reference should be made to its Schrems I[9] and II[10] judgments, which, among other issues, annulled the ‘Safe Harbor’ and ‘Privacy Shield’ decisions, respectively:
- The word ‘adequate’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed in the EU[11], even though the means to which that third country has recourse may differ from those employed within the EU[12].
- The national supervisory authorities are vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with European data protection rules[13]. However, as a rule, as long as the Commission’s decision is not declared invalid by the CJEU, the Member States and the supervisory authorities cannot adopt measures contrary to that decision[14]. This cannot prevent persons whose personal data has been or could be transferred to a third country from lodging a claim[15].
- Legislation permitting public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental rights of European data subjects[16]. Likewise, legislation not providing any possibility for individuals to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of the data does not respect the essence of the fundamental right to effective judicial protection[17].
B) Transfers subject to appropriate safeguards
In the absence of ‘adequacy decision’ a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subjects’ rights and effective legal remedies for data subjects are available[18]. That is to say, if there is no ‘adequacy decision’ about the country, territory or sector to which the transfer is to be made, the controller or processor may choose between the mechanisms set out in Article 46 of the GDPR in order to provide ‘appropriate safeguards’.
In the application of the mechanisms in Article 45 there is no need to observe a specific order. It is possible to choose the mechanisms according to the particular needs or the purpose of the processing. However, the GDPR classifies these mechanisms according to whether or not they require any specific authorization from a supervisory authority:
- Mechanisms that do not require any specific authorization from a supervisory authority[19]:
- Legally binding and enforceable instruments between public authorities or bodies. E.g. administrative arrangements which include enforceable and effective individual rights
- Binding Corporate Rules (BCR). These are commonly used for data transfers within multinational companies. BCRs are an internal code of conduct operating within a multinational group, which applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group entities. There are many documents about the BCRs adopted by the European Data Protection Board and the former WP29[20]
- Standard Contractual Clauses (SCC) adopted by the Commission. Also known as model clauses. They contain contractual obligations on the data exporter and the data importer and rights for the individuals. Therefore, they must be signed between both data exporter (EAA country) and the data importer (outside EAA country or international organization). The European Commission adopted SCC models for controllers and for processors[21].
- An approved code of conduct. The transfer could be carried out if the receiver has signed up to a code of conduct which has been previously approved by a supervisory authority. The code of conduct must include minimum content and requirements in accordance with Article 40 of the GDPR (i.e. appropriate safeguards to protect the rights of individuals). The EDPB has adopted a set of guidelines on codes of conduct.[22] No approved codes are yet in use. However, many institutions and organizations are developing codes (e.g.the BBMRI-ERIC is developing a Code of Conduct for Health Research).[23]
- An approved certification. The transfer could be carried out if the receiver has a certification, under a scheme approved by a supervisory authority. The certification mechanism must include minimum content and requirements in accordance with Article 40 of the GDPR (i.e. appropriate safeguards to protect the rights of individuals). The EDPB has adopted a set of guidelines on certification mechanisms[24]. No approved certification mechanisms are yet in use.
- Mechanisms that require authorization from the competent supervisory authority:
- Contractual clauses authorized by a supervisory authority. Even if the model clauses adopted by the European Commission are not used, other models of SCC may be adopted if they are previously and individually approved by the competent supervisory authority.
- Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights, e.g., a document such as a memorandum of understanding.
Nevertheless, the case law stemming from the Schrems II ruling of the Court of Justice of the European Union has led to important consequences for the Standard Contractual Clauses and the rest of mechanisms for transferring data to third countries on the basis of appropriate safeguards. Firstly, because data subjects whose personal data are being transferred to a third country pursuant to Standard Contractual Clauses (or other mechanisms) should be afforded, as in the context of an adequacy decision, a level of protection essentially equivalent to that guaranteed within the European Union[25]. Secondly, because this may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection[26]. As a result, if the data exporter established in the EU is not able to take appropriate supplementary measures, they are required to suspend or prohibit the transfer of personal data “in the event of the breach of such clauses or if it is impossible to honor them”[27].
C) Derogations for specific situations
Finally, where the transfer is not covered by an adequacy decision, nor an appropriate safeguard mechanism, it shall only be carried out if it is covered by any of the exceptional derogations or situations set out in Article 49 of the GDPR[28]:
- Where the data subject has explicitly consented to the proposed transfer.
- Where the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
- Where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
- Where the transfer is necessary for important reasons of public interest.
- Where the transfer is necessary for the establishment, exercise or defense of legal claims.
- Where the transfer is necessary in order to protect the vital interests of the data subject or of other persons, when the data subject is physically or legally incapable of giving consent.
- Where the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.
Further Reading
Article 29 Data Protection Working Party. Recommendation on the approval of the Processor Binding Corporate Rules form. https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51307
Article29 Data Protection Working Party. Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data. https://edpb.europa.eu/sites/edpb/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf
Court of Justice of the European Union. Judgment of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, (C-311/18, Schrems II).
Court of Justice of the European Union. Judgment of 6 October 2015, Maximillian Schrems v Data Protection Commissioner (C-362/14, Schrems I).
European Commission. Binding Corporate Rules (BCR). https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en
European Commission. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. C/2021/3972. OJ L 199, 7.6.2021, p. 31–61. Available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
European Commission. Rules on international data transfers. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en
European Data Protection Board (EDPB). Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf
European Data Protection Board (EDPB). Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf
European Data Protection Board (EDPB). Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf
References
1See Article 44 of the GDPR “Any transfer of personal data (…) shall take place only if, subject to the other provisions of this Regulation (…)”. ↑
2See Article 44 in fine of the GDPR. ↑
3Article 45(1) of the GDPR. ↑
4Article 45(3) of the GDPR. ↑
5Article 93(2) of the GDPR. ↑</a
6Recital 103 of the GDPR. ↑
7Article 45(1) in fine of the GDPR. ↑
8After the further annulment of the Privacy Shield by the CJEU, there are currently only decisions in force with: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. ↑
9Court of Justice of the European Union. Judgment of 6 October 2015, Maximillian Schrems v Data Protection Commissioner (C-362/14, Schrems I). ↑
10Court of Justice of the European Union. Judgment of 16 July 2020, Dation Commissioner v Facebook Ireland Ltd, Maximillian Schrems, (C-311/18, Schrems II) ↑
11Court of Justice of the European Union. Judgment of 6 October 2015, Maximillian Schrems v Data Protection Commissioner (C-362/14, Schrems I). 73. ↑
12Ibid. parag. 74. ↑
13Ibid. parag. 47. ↑
14Ibid. parag. 52. ↑
15Ibid. parag. 53 and 66. ↑
16CJEU Judgment of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, (C-311/18, Schrems II) Parag. 185. ↑
17Ibid. parag. 197 and 198. ↑
18Art. 46 of the GDPR. ↑
19Under art. 46.2 of the GDPR. ↑
20EC. Binding Corporate Rules (BCR). At: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en Accessed 12 May 2020. ↑
21Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. C/2021/3972. OJ L 199, 7.6.2021, p. 31–61. Available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj ↑
22EDPB. Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 Version 2.0 4 June 2019. At: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf Accessed 12 May 2020 ↑
23BBMRI-ERIC, Code of conduct for health research: taking up speed & calling for your input, At: https://www.bbmri-eric.eu/news-events/code-of-conduct-for-health-research/ Accessed 12 May 2020 ↑
24EDPB. Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation Version 3.0 4 June 2019. At: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf. Accessed: 12 May 2020. ↑
25Court of Justice of the European Union. Judgment of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, (C-311/18, Schrems II). Parag. 96. ↑
26Ibid. Parag. 132 and 125. ↑
27Ibid. Parag. 134 and 135. ↑
28More information about art. 49 derogations and exceptions can be found in the EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 Adopted on 25 May 2018, At: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf Accessed: 14 May 2020 ↑