This article is related to the General Data Protection Regulation. For more information, see Introduction to the General Data Protection Regulation.
Since the GDPR ensures that all EU countries have an equal protection of personal data, the general rule is that personal data can move freely between these countries. For transfer of personal data outside the EU/EEA though, certain rules apply.
Because of the non-existence of general rules outside of EU that ensures similar data protection guarantees, data transfer to these countries can only be allowed under very specific conditions.
This article will explore those conditions, but first:
I’ll illustrate with an example:
You have a client portal hosted by an EU company. Since the portal is operated by a business within the EU I assume that portal generally comply with the GDPR.
You want to connect this portal to a new reporting software hosted in USA. The reporting software needs personal data input from your system to generate it’s report.
Sending the data to this system would mean that a data transfer took place.
The GDPR states that, as long as all the other rules are complied with, a transfer of personal data outside of the EU can befall under any of these conditions:
If the EU commission has decided that a certain country guarantees an adequate level of protection, you are allowed to transfer data to that country without any specific permission – again: as long as the other rules of the GDPR are complied with.
The only authority that can decide on the adequacy of a country’s protection levels is the EU commission.
At the time of this writing, whitelisted countries include: Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, New Zealand, United States and Eastern Republic of Uruguay.
You’ll find the current list here.
If the EU commission has not decided that a certain country guarantees an adequate level of protection, a data transfer may happen if the data controller:
The protective measures effectively means that the data transfer shall be based on:
Data may be transferred after a certain permission has been sought and received from your data inspection authority.
In some instances you may be allowed to transfer personal data to a country outside of EU, even though the country doesn’t have an adequate protection level nor any appropriate protection measures have been made.
E.g. data can be transferred if the person has explicitly given their consent to the transfer, after being informed about the risks of the transfer.
Data may also be transferred in certain legal cases – such as to fulfill a contract on behalf of the person, or to guard legal claims.
A transfer of data is also allowed if:
Such a weighing of interest shall assure that the transfer is necessary because of forced legitimate interests for the data controller, and that the individual’s interests or rights weigh less.
It is also required that the data controller take appropriate measures to safeguard the personal data.
If a transfer happens during these conditions the data controller has to inform the data inspection authority och de concerned individuals about the transfer and the legitimate interests that are the reason for the transfer.
For more information about the General Data Protection Regulation, click here.
If you have any comments or questions, please send me an email.
Hi, I'm Christoffer Lejdborg! I believe software has tremendous potential to transform your business in amazing ways, but people are too focused on the technology instead of the business case.
Some of my clients are very well known, some are not – but I love them all equally.
+46 70-218 17 24