Transfers of personal data to third countries or international organisations
+ -Personal data is transferred to exported to third countries when the operator or processor, who is obliged in accordance with Article 3 of the General Data Protection Regulation (data exporter), transmits personal data to an international organisation or an operator or processor of personal data with a headquarters in a country outside of the European Union (EU) or the European Economic Area (EEC) (data importer), who is not bound by the Regulation (under Article 3).
Most often we speak of data transfer when the operator or processor with headquarters in the EU/EEC transfers data to an operator or processor outside of the EU/EEC. In accordance with Article 3(2), the Regulation is also used for the processing of personal data by operators and processors with headquarters outside of the EU/EEC in a third country when the processing activities are related: (a) to providing goods or services to individuals in the EU, or (b) to monitoring the behaviour of such individuals in the EU. This means that data transfer may also occur in cases where such exporter in a third country transfers personal data to an importer in a third country, who is not bound by the Regulation in accordance with Article 3.
The Regulation foresees measures to ensure that personal data remains protected even after being transferred to third countries or international organizations. For a lawful transfer of personal data to an operator, processor or the recipients of personal data in a third country or an international organization, the two following conditions must be met:
1. For forwarding or making personal data available to the operator, processor or the recipient of personal data in a third country, there must exist a legal basis specified in Articles 6 and 9 of the Regulation, and additionally a legal basis from the Article 9 of the ZVOP-1 for the public sector. The processor (legal or natural person processing personal data on behalf and on the account of the personal data operator) may receive personal data under conditions determined in Article 28 of the Regulation.
2. Upon fulfilling the first condition, the transfer of personal data to an operator or contractor in a third country or an international organization is permitted under conditions determined in chapter V of the Regulation, namely:
- if the European Commission issues a decision that the country, territory, a certain sector in the country or an international organization to which the data is transferred ensures an adequate level of protection of personal data. Decisions on the adequacy of the level of protection of personal data issued by the Information Commissioner before 25 May 2018 shall remain in force until changed, replaced or revoked by the IC;
- if the exporter of data ensures adequate protective measures in accordance with Article 46 of the Regulation and ensures that individuals have enforceable rights and effective remedies;
- in special cases, which are specified in Articles 48 and 49 of the Regulation which allow for derogations.
1) Countries and international organizations which ensure an adequate level of personal data protection
The transfer of data to a third country or an international organization may be carried out if the European Commission determines that the third country, territory, one or more of the specified sectors in the third country or international organization ensures an adequate level of data protection (Article 45 of the Regulation). Special permit from the Information Commissioner is not required for such transfer of personal data on the basis of such adequacy decision.
In assessing the adequacy of the level of personal data protection in a third country or international organization, the European Commission among others takes into account the following elements: principle of the rule of law, respect for human rights and fundamental freedoms, the legal framework for personal data protection and the practical implementations, the existence of efficient independent supervisory authorities, international commitments of a third country.
Decisions with which the Information Commissioner determined that certain third countries or international organizations provide an adequate level of personal data protection prior to 25 May 2018 were overruled in practice, since under the current regime, only the European Commission can issue decisions on the adequacy of personal data protection in third countries. The list of third countries referred to in Article 66 of the ZVOP-1 has also been formally repealed with the entry into force of the ZVOP-2.
2) Transfer based on adequate protective measures
When the adequacy decision with which the European Commission determines that a third country or an international organization ensures an adequate level of personal data protection is not adopted, the operator or processor may transfer personal data to a third country or an international organization with adequate protective measures. This is conditional upon the fact that data subjects have enforceable rights and effective remedies at their disposal.
Adequate protective measures may be provided:
- with a legally binding and enforceable instrument adopted by public authorities or bodies,
- with binding corporate rules in accordance with Article 47;
- with standard data protection provisions adopted by the European Commission or the supervisory authority and approved by the European Commission,
- with the approved code of conduct in accordance with Article 40, with binding and enforceable obligations of the operator or processor in a third country that they will use adequate protective measure which includes the rights of data subjects, or
- with an approved validation mechanism in accordance with Article 42, with binding and enforceable obligations of the operator or processor in a third country that they will use adequate protective measure which includes the rights of data subjects, or
For such a transfer of data, a prior authorization by the Information Commissioner is no longer required.
However, with a prior authorization by the Information Commissioner, appropriate protective measures may also be taken with:
- contractual provisions determined by the exporter and the importer of personal data,
- provisions included in the administrative agreements between public authorities or bodies which include enforceable and effective rights for data subjects.
Decisions of the Information Commissioner issued prior to 25 May 2018 shall remain in force until amended, replaced or revoked, if this is necessary. The same shall apply for the decisions of the European Commission.
No certification mechanism under Article 42 of the Regulation has yet been developed and approved in the EU, consequently data transfer on this basis is not yet possible.
Transfer based on standard provisions on data protection
In such a case, the exporter and importer of personal data shall conclude a contract in which they include the standard contractual provisions and both annexes which are an integral part of those provisions. The European Commission has adopted two models of standard contractual clauses for the transfer of personal data that can be used by the processors from the EU/EEC for the transfer of data:
- standard contractual clauses for the transfer of data from a processor in the EU/EEC to an operator in a third country are available on the following link;
- standard contractual clauses for the transfer of data from a processor in the EU/EEC to a processor in a third country are available here and here (you may choose between two options).
The models of standard contractual clauses shall remain in force even after the application of the Regulation, i.e. until repealed, replaced or changed by the European Commission.
Transfer based on binding corporate rules
Binding corporate rules constitute an internal act of multinational corporations and are intended for the transfer of data within a group of companies, of which certain companies are located in third countries which do not provide adequate personal data protection.
Binding corporate rules (abbreviated BCR) shall be approved by the main supervisory authority in accordance with the consistency mechanism under Article 63 of the Regulation. These may only be approved under the condition that they are legally binding for each member of the related company or groups of companies and employees, and that they expressly give the employees enforceable rights in relation to the processing of their data and that they meet the requirements from Article 47/II of the Regulation which sets out the minimum content of the binding corporate rules. Additional prior permission by the Information Commissioner is no longer required.
3) Transfer of data on the basis of derogations in special cases
If the adequacy decision for a particular country or an international organization from the Article 45 of the Regulation is not adopted and if appropriate protective measures have not been met in accordance with Article 46, the transfer may be carried out only in certain special cases (Articles 48 and 49 of the Regulation). One of the following conditions must be met:
a) the individual, to whom the personal data relate, has given expressed consent to the transfer after being warned about possible risks which such transfer can mean for them because of the non-adoption of the adequacy decision and other suitable protective measures;
(b) the transfer is required for the execution of a contract between the data subject and the processor or for the implementation of pre-contractual measures adopted upon the request of the data subject;
(c) the transfer is required for the conclusion or implementation of a contract between the processor and another natural or legal person, and it is in the interest of the data subject;
(d) the transfer is required because of important reasons of public interest;
(e) the transfer is required for the enforcement, implementation or defence of legal claims;
(f) the transfer is required for the protection of the life interests of the data subject, and the individual is legally or physically unable to give consent;
(g) the transfer is carried out from a register which is intended for the provision of information to the public and is according to the EU law or the law of the Member State open to consultation either by the public in general or by any person demonstrating a legitimate interest, however, only if the individual case fulfils conditions for such access to information which is determined by the EU law or by the law of a Member State. Additionally, a limitation shall apply which states that transfers on this basis may not include all personal data or the entire rows of personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;
If transfer is not possible on the basis of the above conditions, it may only be carried out under strictly defined conditions; in such cases, the transfer is possible if:
- it is not repeatable,
- it only refers to a limited number of data subjects,
- is necessary because of the necessary legitimate interests pursued by the operator and which do not override the interests or rights and freedoms of the individual, and
- if the processor has previously evaluated all circumstances related to the transfer of data and has determined the appropriate protective measure in relation to the personal data protection based on this evaluation.
The evaluation and the foreseen measures shall be documented in the data processing records by the data operator or processor in accordance with Article 30 of the Regulation. Additionally, the operator shall inform the supervisory authority, i.e. the Information Commissioner thereof, and shall provide the individuals the information referred to in Articles 13 and 14 of the Regulation and shall give them information on the transfer in question and of urgent legal interests due to which the transfer was necessary.
In regards to transfers conducted in connection with court decisions and decisions of the administrative authorities from third countries which request a transfer or disclosure of personal data, Article 48 of the Regulation determines that his may be recognized or enforced in any way only if it is based on an international agreement such as a treaty on mutual legal assistance between the applicant country and the EU or the Member State without infringing on other reasons for the transfer based on chapter V of the Regulation. Read more about the transfer of data to third countries at the website of the European Commission