GDPR Third Countries

In view of international trade and cooperation, it is essential these days to be able to also transmit data to third countries. Examining the legitimacy of such a transfer is done in two stages.

First, the data transfer itself must be legal. Any processing of personal data is prohibited but subjected to the possibility of authorization. In addition to consent, Art. 6 of the General Data Protection Regulation (GDPR) sets forth further authorization reasons, such as fulfilling a contract or protecting vital interests. For special personal data which requires a higher level of protection, the Art. 9 of the GDPR provides separate legal requirements.

If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. One must differentiate between secure and unsecure third countries. Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law. The third countries which ensure an adequate level of protection are: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay , Japan, the United Kingdom and South Korea. Data transfer to these countries is expressly permitted.

Since July 10, 2023, there has been an adequacy decision for the so-called EU-US Data Privacy Framework. This allows the transfer of personal data from the EU to US companies and US organizations that have signed up to the Data Privacy Framework by means of certification. The companies and organizations that have already been certified can be found in this list. Data transfers to non-certified US companies and organizations can no longer be based on the Commission’s Implementing Decision (EU) 2016/1250 of July 12, 2016 in accordance with Directive 95/46/EC of the European Parliament and the Council on the adequacy of the EU-US data protection shield (Privacy Shield). Because with the judgment “Schrems II” of July 16, 2020 (in case C-311/18), the ECJ declared this Implementing Decision invalid with immediate effect. Data transfers to non-certified US-companies and organizations require other guarantees, according to Art. 44 et seq. GDPR, to create an appropriate level of data protection.

If there is no adequacy decision for a country, this does not necessarily foreclose any data transfer to this country. Rather, the controller must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard contractual clauses, for data transfers within a Group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct, which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.

Furthermore, there are several exceptions, which legitimize data transfer to a third country, even if the protection of personal data cannot be sufficiently assured. Most frequently, the consent of the data subject is relevant here. At the same time, one must particularly note the requirements for such a consent to be given freely. Further exceptions, such as transmitting to fulfil contracts, important reasons of public interest and the assertion of legal rights are usually less relevant in practice.