May 30, 2020

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

Understanding the Layered Approach to International Data Transfers Under GDPR

In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries.

Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. a country that is not a member of the European Economic Area). These include the following:

  • Sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision (“Adequacy Decision”), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions (Article 45, GDPR). In other words, the transfers to an “adequate” third country will be comparable to a transmission of data within the EU. Japan is the latest country to benefit from such a decision (for more information, please read our blog).
  • In the absence of an Adequacy Decision, a transfer can take place if appropriate safeguards are present and if enforceable rights and effective legal remedies are available for individuals (Article 46, GDPR). Appropriate safeguards include:
  • In the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules (BCRs) (Article 47, GDPR)
  • Contractual arrangements with the recipient of the personal data, using, for example, the Standard Contractual Clauses approved by the European Commission
  • Adherence to a code of conduct or certification mechanism, together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data
  • Finally, if it is envisaged that personal data be transferred to a third country that is not the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of “derogations for specific situations” (Article 49 (1) , GDPR), for example, where an individual has explicitly consented to the proposed transfer after receiving all necessary information about the risks associated with the transfer. Even within these derogations, there is a particular one to be used only as a last resort.

The European Data Protection Board (EDPB) (in its “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679”) and its predecessor,WP29, recommend as best practice a “layered approach” to transfers of considering first whether the third country provides an adequate level of protection and ensuring that the exported data will be safeguarded in the third country. If the level of protection is not adequate, the data exporter should consider providing adequate safeguards. Hence, “ data exporters should first endeavour to frame the transfer according to one of the mechanisms included in articles 45 and 46 of the GDPR, and only in their absence use the derogations provided in Article 49 (1).”EDPB adds that the article the derogations “must be interpreted restrictively so that the exception does not become the rule. This is also supported by the wording of the title of Article 49 which states that derogations are to be used for specific situations (‘Derogations for specific situations’)”

It can be difficult to understand when personal data is legally permitted to be transferred outside of the European Economic Area under the GDPR, which is why we have prepared a chart that shows the layered approach that should be used.

© Copyright 2020 Squire Patton Boggs (US) LLP


About this Author

Stephanie Faber Attorney Squire Patton Boggs Paris
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs

  • Data breach...

33 1 5383 7400