Understanding the Layered Approach to International Data Transfers Under GDPR
In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries.
Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. a country that is not a member of the European Economic Area). These include the following:
- Sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision (“Adequacy Decision”), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions (Article 45, GDPR). In other words, the transfers to an “adequate” third country will be comparable to a transmission of data within the EU. Japan is the latest country to benefit from such a decision (for more information, please read our blog).
- In the absence of an Adequacy Decision, a transfer can take place if appropriate safeguards are present and if enforceable rights and effective legal remedies are available for individuals (Article 46, GDPR). Appropriate safeguards include:
- In the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules (BCRs) (Article 47, GDPR)
- Contractual arrangements with the recipient of the personal data, using, for example, the Standard Contractual Clauses approved by the European Commission
- Adherence to a code of conduct or certification mechanism, together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data
- Finally, if it is envisaged that personal data be transferred to a third country that is not the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of “derogations for specific situations” (Article 49 (1) , GDPR), for example, where an individual has explicitly consented to the proposed transfer after receiving all necessary information about the risks associated with the transfer. Even within these derogations, there is a particular one to be used only as a last resort.
The European Data Protection Board (EDPB) (in its “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679”) and its predecessor,WP29, recommend as best practice a “layered approach” to transfers of considering first whether the third country provides an adequate level of protection and ensuring that the exported data will be safeguarded in the third country. If the level of protection is not adequate, the data exporter should consider providing adequate safeguards. Hence, “ data exporters should first endeavour to frame the transfer according to one of the mechanisms included in articles 45 and 46 of the GDPR, and only in their absence use the derogations provided in Article 49 (1).”EDPB adds that the article the derogations “must be interpreted restrictively so that the exception does not become the rule. This is also supported by the wording of the title of Article 49 which states that derogations are to be used for specific situations (‘Derogations for specific situations’)”
It can be difficult to understand when personal data is legally permitted to be transferred outside of the European Economic Area under the GDPR, which is why we have prepared a chart that shows the layered approach that should be used.