Nine Muses

The transfer of personal data outside of EU

This article is related to the General Data Protection Regulation. For more information, see Introduction to the General Data Protection Regulation.

Since the GDPR ensures that all EU countries have an equal protection of personal data, the general rule is that personal data can move freely between these countries. For transfer of personal data outside the EU/EEA though, certain rules apply.

Because of the non-existence of general rules outside of EU that ensures similar data protection guarantees, data transfer to these countries can only be allowed under very specific conditions.

This article will explore those conditions, but first:

What does ”transfer of data” mean?

I’ll illustrate with an example:

You have a client portal hosted by an EU company. Since the portal is operated by a business within the EU I assume that portal generally comply with the GDPR.

You want to connect this portal to a new reporting software hosted in USA. The reporting software needs personal data input from your system to generate it’s report.

Sending the data to this system would mean that a data transfer took place.

Conditions for transfer of personal data across EU borders

The GDPR states that, as long as all the other rules are complied with, a transfer of personal data outside of the EU can befall under any of these conditions:

  1. Commission decisions on the adequacy of the protection of personal data
  2. Appropriate protection measures
  3. Certain permission from your data inspection authority
  4. Consent or specifically specified situations
  5. One-off transfers

Commission decisions on the adequacy of the protection of personal data

If the EU commission has decided that a certain country guarantees an adequate level of protection, you are allowed to transfer data to that country without any specific permission – again: as long as the other rules of the GDPR are complied with.

The only authority that can decide on the adequacy of a country’s protection levels is the EU commission.

At the time of this writing, whitelisted countries include: Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, New Zealand, United States and Eastern Republic of Uruguay.

You’ll find the current list here.

Appropriate protection measures

If the EU commission has not decided that a certain country guarantees an adequate level of protection, a data transfer may happen if the data controller:

  1. Has taken appropriate protection measures.
  2. There exists statuary rights and effective means of legal address for the person in the country the data is moved to.

The protective measures effectively means that the data transfer shall be based on:

Certain permission from your data inspection authority

Data may be transferred after a certain permission has been sought and received from your data inspection authority.

In some instances you may be allowed to transfer personal data to a country outside of EU, even though the country doesn’t have an adequate protection level nor any appropriate protection measures have been made.

E.g. data can be transferred if the person has explicitly given their consent to the transfer, after being informed about the risks of the transfer.

Data may also be transferred in certain legal cases – such as to fulfill a contract on behalf of the person, or to guard legal claims.

One-off transfers

A transfer of data is also allowed if:

  1. The transfer happens only at one single time
  2. It only concerns a limited number of people
  3. An appropriate weighing of interest

Such a weighing of interest shall assure that the transfer is necessary because of forced legitimate interests for the data controller, and that the individual’s interests or rights weigh less.

It is also required that the data controller take appropriate measures to safeguard the personal data.

If a transfer happens during these conditions the data controller has to inform the data inspection authority och de concerned individuals about the transfer and the legitimate interests that are the reason for the transfer.

Additional information

For more information about the General Data Protection Regulation, click here.

If you have any comments or questions, please send me an email.

Subscribe to new articles

Read more articles

Hi, I'm Christoffer Lejdborg! I believe software has tremendous potential to transform your business in amazing ways, but people are too focused on the technology instead of the business case.

Some of my clients are very well known, some are not – but I love them all equally.


hello@9muses.se
+46 70-218 17 24