GDPRThird Countries

It is essential these days to transmit data to third countries as part of international trade and cooperation. Examining the permissibility of such a transfer is done in two stages.

First, the data transfer itself must be permissible. Any processing of personal data is subject to a prohibition if permission is reserved. In addition to consent, Art. 6 of the GDPR sets forth further justification reasons, such as fulfilling a contract or protecting vital interests. For special personal data which requires a higher level of protection, the permission text of Art. 9 of the GDPR applies.

If the planned data transfer meets the general conditions, one must check in a second step whether transfer to the third country is permitted. One must differentiate between secure and unsecure third countries. Secure third countries are those for which the European Commission has confirmed a suitable level of protection in a decision of appropriateness. They provide in their national laws for protection of personal data which are comparable to those of EU law. At the time that the General Data Protection Regulation became applicable, the third countries which are counted as secure countries are: Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and USA (if the receiver belongs to the Privacy Shield). Data transfer to these countries is expressly permitted.

If there is no decision of appropriateness for a country, this does not necessarily exclude data transfer to this country. Rather, the processor must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard data protection clauses, for data transfers within a Group through so-called “binding corporate rules,” through obligation to comply with rules of behaviour which have been declared by the European Commission as being generally applicable, or by certification of the processing procedure.

Furthermore, there are several exceptions which legitimise data transfer to a third country, even if protection of personal data cannot be sufficiently assured. Most frequently, the consent of those impacted is relevant here. Thus, one must note the requirements for their voluntary nature. Further exceptions, such as transmitting to fulfil contracts, important reasons of public interest and the assertion of legal rights are less relevant in practice.