The General Data Protection Regulation (GDPR) from the EU is one of the most in-depth and strict laws protecting the transfer and processing of personal data.
When the law was implemented on May 25, 2018, it changed the game for companies across the world on how they collected, stored, and transmitted personal information. While the GDPR applies to the transmission of private data in the EU, its rules also extend to transferring information from the EU to outside companies, or restricted transfers.
If your company is transferring data to somewhere outside of the EU, what do you need to do to make sure you are compliant with the GDPR's rules and regulations and avoid possible fines?
We'll show you.
- 1. What is a Restricted Transfer?
- 2. Is Your Restricted Transfer Covered by an Adequacy Decision?
- 3. If No Adequacy Decision, are You Covered by an Appropriate Safeguard?
- 3.1. 1. There is a legally binding and enforceable document between public authorities or bodies
- 3.2. 2. Binding corporate rules
- 3.3. 3. Standard contractual clauses adopted by the European Commision
- 3.4. 4. Standard data protection clauses adopted by the European Commission and approved by a supervisory authority
- 3.5. 5. Approved code of conduct together with binding and enforceable commitments of the third country or party
- 3.6. 6. An approved certification mechanism with the binding and enforceable commitments with third country or party
- 3.7. 7. Contractual clauses between both parties and approved by the supervisory authority
- 3.8. 8. Administrative arrangements between the public authorities that include effective and enforceable data protection rights
- 3.9. Is the Transfer Covered by an Exception?
- 4. Summary
The GDPR lays out clear guidelines for companies to follow if they are planning on making a data transfer outside of the EU or the European Economic Area (EEA). While the rules may be clear, they are also extremely strict. If you fail to comply with the rules or do not meet one of the requirements you will be in violation of the GDPR.
There are four main questions your company will have to answer before you can compliantly make your transfer.
First, are you making a restricted transfer or an accepted transfer?
Second, if you are making a restricted transfer, has an "adequacy decision" been made?
Third, if no "adequacy decision" has been made, is your transfer covered by "appropriate safeguards?"
Fourth and finally, if your transfer is not covered by an "adequacy decision" or safeguards does it fall under any exceptions?
If your transfer fails to satisfy these questions, then it cannot be made.
What is a Restricted Transfer?
The first question you will need to answer is whether the transfer of information you are making is considered a restricted transfer under the GDPR.
Note that if the data is not "personal data,' then it does not fall under the GDPR's protection.
If you are planning on making a transfer from one company within the EEA to another, then the transfer is unrestricted.
A transfer is considered "restricted" if:
- The personal data being processed is protected by the GDPR,
- The recipient of the transfer is an international organization or third country outside of EU or EEA, and
- The recipient is a separate organization or individual (this can include a company under the same corporate umbrella)
If your processing is considered a restricted transfer, then your next question is whether it is covered by an "adequacy decision."
Is Your Restricted Transfer Covered by an Adequacy Decision?
Under Article 45, an adequacy decision is made by the European Commission on whether the recipient of the information "ensures an adequate level of protection" of the individual's rights of the data:
The Commission looks at multiple factors when making an adequacy decision. Some of the factors they consider are the state of the following in a region:
- Rule of law
- Respect for human rights and fundamental freedoms
- Data protection rules
- Relevant legislation
- Independent advisory boards on the data protection
- International commitments
These decisions are in place for four years with frequent reviews. This means that if a country fails to meet one of these factors in their most recent review, they could fail the adequacy decision.
At the time of writing this, the European Commission has so far only recognized and approved 13 countries: Andorra, Argentina, Canada, Japan, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States. You can view the most recent list here.
A note of caution, even if the country you are transferring to is included in this list, there may still be restrictions. For example, the US has only been recognized in regard to the information that is covered under the US-EU Privacy Shield.
If your transfer is covered by an adequacy decision, then you can make the transfer. If not covered, then you must go to the next step.
If No Adequacy Decision, are You Covered by an Appropriate Safeguard?
The next step in the process is whether your transfer can be made under appropriate safeguards. A company or controller can only make a transfer under this step if they have provided "appropriate safeguards" to protect the individual's rights to the data and these safeguards are made available.
Both the sending and receiving party must have appropriate safeguards. If the third party country or company has not put in place the protections, then the transfer will not qualify.
There are 8 possible safeguards your transfer can qualify under, set out in Article 46 of the GDPR.
1. There is a legally binding and enforceable document between public authorities or bodies
If the controller and receiver have entered into an enforceable contract that is legally binding and complies with data protection laws and the rights of individuals, then it qualifies.
2. Binding corporate rules
This safeguard applies if both parties have joined into a document that is binding corporate rules Article 47 dictates what qualifies as, and is required by, binding corporate rules.
Some requirements of binding corporate rules are:
- Legally binding and enforceable on every member
- Expressly lays out the data protection rights
- Complaint procedures
- How the information of the rules are presented to data subjects
- Include all essential and enforceable principles and rights
3. Standard contractual clauses adopted by the European Commision
Standard contractual clauses are clauses that both parties enter into that contain obligations for both parties when it comes to protecting the rights of the data subjects. These clauses have been adopted by the European Commission and any two parties can agree to one.
4. Standard data protection clauses adopted by the European Commission and approved by a supervisory authority
Companies can enter into an agreement and use a standard data protection clause that has been adopted by the commission and approved by a supervisory authority. This is similar to the last point but takes it one step further.
5. Approved code of conduct together with binding and enforceable commitments of the third country or party
This safeguard relates to code of conducts that companies can join with their supervisory authority. The GDPR endorses this practice as a way to promote application of the regulation.
6. An approved certification mechanism with the binding and enforceable commitments with third country or party
You can make the transfer if the third country or outside organization has entered into a safeguarding mechanism with their supervisory authority. The mechanism between the authoritative body and company ensures that the controller follows certain procedures and requirements when dealing with the data. The mechanism must include safeguards and protections for the data subjects.
7. Contractual clauses between both parties and approved by the supervisory authority
This applies if both parties have entered into a contract that has been approved by the supervisory authority for this particular restricted transfer. The contract can not be a blanket clause, but applies to a single transfer.
8. Administrative arrangements between the public authorities that include effective and enforceable data protection rights
This safeguard applies when public authorities are making transfers of data and the transfer is either between public authorities, one public authority doesn't have the power to enter into a contract, there is already an arrangement, or the arrangement has been approved by the supervisory authority.
If after going through this step and your company does have one of these safeguards, then you can make the transfer. For companies who do not fall under any of these safeguards, your last option is to look at exceptions.
Is the Transfer Covered by an Exception?
If your transfer isn't covered by either Step 2 or Step 3, then Article 49 is your final option. Article 49 lays out the specific exceptions your transfer may fall under to remain valid.
Unlike the safeguard and "adequacy decision" requirements, many of these exceptions are difficult to qualify for and must be in extreme instances.
Exception 1: The individual has given explicit permission to the restricted transfer after being informed about the transfer failing the adequacy decision and safeguards requirements. The consent must also be valid under the GDPR by being explicit, clear, and freely given.
Exception 2: The transfer is required when there is a contract between the individual and the controller who is transferring the data or the transfer is a requirement or step to enter into a contract with the individual. This type of transfer can only occasionally occur and must be necessary.
Exception 3: The transfer is required to fulfill a contract with the individual and benefits another individual whose data is also being transferred. As Exception 2, this type of transfer is restricted to necessary and occasional transfers.
Exception 4: It is necessary for important reasons for public interest. Examples of this type of transfer would be international data exchange, between supervisory authorities, or tax and customs administrations.
Exception 5: It is necessary for the filing, defense, and arguing of legal claims. This exception can be used not only for judicial processes, but also administrative procedures.
Exception 6: The transfer is required to protect the interests of the individual. However, the individual must be physically or legally incapable of giving consent. Exception 6 was designed to apply to medical emergencies when individuals need immediate medical attention.
Exception 7: The transfer is made from a public register. A register is open to the public or to any person who shows a legitimate interest in the information.
Exception 8: The transfer is a one-time deal that is a legitimate interest for your company. This is a very rare exception and only is granted under extreme situations. This exceptions requirements are:
- Not repetitive
- Only involves a few data subjects
- Necessary for compelling interests
- Assessed all circumstances and provided appropriate safeguards
To find out whether your company's transfer to a non-EU company or country requires asking some important questions. Failure to meet one of the requirements doesn't count you out, but failure to meet any of the possible permissions means that if you transmit the data you will violate the GDPR.
The process is very detailed and strict. Whether your transfer is exempt from the typical transmission requirements of the GDPR, make sure to follow these steps:
- Determine if your transfer is a restricted transfer, or a process that sends data outside of the EU or EEA.
- If your transmission is a restricted transfer, has an "adequacy decision" been made on the country you are transmitting the data?
- If your transfer fails the second step, has your company and the receiving company put in safeguards for data protection?
- Finally, if your transfer has failed Steps 2 and 3, does it fall under a GDPR exception?