July 14, 2020

Everything You Need to Know for Data Transfers Under the GDPR

This short guide explains what you need to know about data transfers under the GDPR.

Data transfers are one of the slippery slopes where you can easily violate the GDPR. Despite your best intentions in handling your users’ data, you have to be extremely cautious where you send that data in order to avoid the massive GDPR penalties.

Secure Privacy’s solution doesn’t allow website owners to send data where they are not supposed to. This short guide explains why and shows you the way to compliance.

What is a Data Transfer Under the GDPR?

Data transfer is the act of sending your users’ personal data to someone else in another country outside of the European Union or international organization. Most often it occurs according to a data processing contract.

Let’s say that you collect email addresses with Mailchimp. You collect the email address and send it to the Mailchimp database for keeping and managing your email list. The act of sending your user’s email address, which is personal data, to Mailchimp servers is a data transfer.

The GDPR is very protective of personal data, therefore it takes data transfer seriously. The European Union has in place data protection measures on a high level. It allows transferring data only to countries that are up to the challenge of equally high levels of protection. As a result, the GDPR prescribes in detail how you could engage in sharing data with someone else.

What Are the GDPR Rules for Data Transfers?

The GDPR has a whole chapter (Chapter V) dedicated to data transfers. It clearly set out the rules under which you can send data to third countries.

So, if you want to use a data processing tool which servers are located in another country, you are compliant with the law if you do that on any of the following basis:

According to an adequacy decision of the European Commission

The EU has agreements with third countries with an adequate level of data protection. The level is determined according to a set of standards, such as human rights protection, rules of law, laws for the protection of personal data, the existence of supervisory authority for data protection, and others. If the EU is satisfied with those protection levels, it signs an agreement with that country and allows the free transfer of data to them.

The decisions allowing the transfers are called adequacy decisions. You can find the full list of adequate countries here. It is updated every time the EU signs a new agreement with another country.

From all those countries, the relationship between the EU and the USA is a bit complicated. The US is not a fully adequate country, but you can transfer data freely to companies who are certified under the EU-US Privacy Shield.

The EU-US Privacy Shield is a framework for the exchange of data for commercial purposes between the EU and the US which allows free data transfer from any EU company to certified US companies.

This means that if you want to use a tool for processing data located in the US, you can transfer data without restrictions only if the company is certified under the EU-US Privacy Shield. You can search the full list of certified companies here. Make sure you check out if all your US-located data processors are there. To make it quicker, use our GDPR scanner.

Having appropriate safeguards in place

If there is no adequacy decision for the country you want to transfer data to, you can transfer it freely on the basis of appropriate safeguard for data protection by the controller or the processor and the data subject, i.e. your user, has legal remedies available.

Simply said, if the third country has no adequate level of protection, the controller or the processor can take measures to compensate for the lack of adequacy of data protection.

They can do it by:

  • Binding corporate rules, if the transfer is between companies belonging in the same group of companies
  • Standard data protection clauses adopted by the European Commission
  • Standard data protection clauses adopted by a supervisory authority and approved by the European Commission
  • a legally binding and enforceable instrument between public authorities or bodies
  • An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country
  • An approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country.

Aside from the free transfer of data on the basis of appropriate safeguards, you can transfer data to a third country upon authorization by the competent supervisory authority. In this case, you’ll also need appropriate standard contractual clauses for data protection.

Under any of the exceptions from Article 49 of the GDPR

If there is no adequacy decision and you have no appropriate safeguards in place, you can still transfer data freely outside of the EU, but only in the following cases:

  • You have obtained an explicit consent by the user
  • It is necessary for executing a contract between you and the data user, such as a contract for providing online services or products
  • The transfer is in the user’s interest regarding the execution of a contract
  • Due to public interest
  • For the establishment, exercise or defense of legal claims
  • Due to the user’s interest while she is incapable of giving explicit consent or
  • The transfer is made from an EU’s register intended for public consultation.

You Want to Transfer Data to a Third Country. What Are Your Options?

You are completely safe and compliant as long as you transfer data only inside the EU or to an adequate country. That’s the best way to handle your users’ personal data.

Things may get a little bit complicated if you want to send data to a country without an adequate level of protection. You may compensate for the lack of adequacy, but it takes effort which you can skip that by obtaining consent by the user.

Read all about the Schrems II Decision and EDPB Schrems II Guidance on transferring data outside the EU.

Whatever path you choose, make sure you are compliant with the GDPR. If you need an automated solution for GDPR compliance, click here to check out Secure Privacy.