Under what circumstances am I allowed to transfer personal data to a third country?
Under what circumstances am I allowed to transfer personal data to a third country?
1. Adequacy decision
If the European Commission deems the level of data protection in a third country to be of at least the same level as within the EU (adequate), it can adopt an adequacy decision regarding that third country. You are allowed to transfer personal data to a third country covered by an adequacy decision, under the terms of that decision. The Commission has adopted an adequacy decision for the following countries: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The Commission has adopted adequacy decisions subject to certain conditions for Japan, Canada and the United States.
The adequacy decision for the United States (Privacy Shield) had been declared invalid by the Court today. That means that you cannot rely on this adequacy decision anymore.
Appropriate safeguards: 2-9
Note: It follows from the Schrems II judgement that relying solely on appropriate safeguards for international personal data transfers is most likely not sufficient. Read more about this under 'Can I still use the Standard Contractual Clauses?' in our Privacy Shield blog post.
2. Legally binding and enforceable instrument
The transfer of personal data to a third country is lawful if there is a legally binding and enforceable instrument between the public authorities or bodies of the receiving third country and the country in the EEA from where the data is transferred. As this only applies to public authorities and bodies, this will not be explained further in this post.
3. Binding Corporate Rules
You are allowed to transfer personal data if you and the receiver in the third country have signed up to a legal construct called binding corporate rules (BCRs). BCRs can only be used within a multinational group. You cannot set up binding corporate rules with another company. BCRs need to be approved by the supervisory authority of your country.
4. Standard data protection clauses adopted by the Commission
You can make a personal data transfer to a third country if you and the third country receiver have entered into a contract that incorporates any standard data protection clauses adopted by the Commission, also known as standard contractual clauses (SCCs).
For new contracts, you can make use of three sets of SCCs. The 2010 version is for a controller to processor (data processing agreement) relationship and the 2001 and 2004 versions are for a controller to controller (data transfer agreement) relationship. Although these SCCs were adopted under the Data Protection Directive and not the GDPR, they can still be lawfully used until the Commission updates them.
5. Standard data protection clauses adopted by a supervisory authority and approved by the Commission
You can make a personal data transfer if you and the third country receiver enter into a contract incorporating standard data protection clauses adopted by the supervisory authority of your country that are subsequently approved by the Commission. The Dutch Data Protection Authority currently has not adopted any standard data protection clauses that are approved by the Commission.
6. An approved code of conduct together with binding and enforceable commitments of the third country receiver
You can make a personal data transfer if the receiver has signed up to a code of conduct, which has been approved by the supervisory authority of your country. The Dutch Data Protection Authority has not approved any code of conduct.
7. Certification under an approved certification mechanism together with binding and enforceable commitments of the third country receiver
You can make a personal data transfer if the receiver in the third country has a certification which has been approved by the supervisory authority of your country. The Dutch Data Protection Authority has not approved any certification mechanism at this moment.
8. Contractual clauses authorised by a supervisory authority
You can make a personal data transfer if you and the third country receiver enter into a contract that has been individually approved and authorised by the supervisory authority of your country. You can ask the Dutch Data Protection Authority to approve your contract.
9. Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by a supervisory authority
Public authorities or bodies in the EEA and third countries can make arrangements to share personal data if that has been authorised by the supervisory authority. As this only applies to public bodies, this will not be further discussed here.
Derogations for specific situations: 10-17
10. Consent
You are allowed to transfer personal data outside of the EEA to a receiving third country if the data subject consents to this transfer. The consent needs to be in accordance with the requirements of the GDPR. That means that it must be freely given, informed, specific and unambiguous. Informed is very important in this case, as you need to make sure that the data subjects understand the risks involved with this transfer.
11. Necessary for the performance of the contract
You are allowed to transfer personal data to a third country if that is necessary for the performance of a contract. Necessary in this context means that you are not able to carry out the obligations of the contract without transferring the personal data to the receiver in the third country. This only applies to occasional transfers though. You need to have an appropriate safeguard in place if you regularly plan to transfer personal data to a third country.
12. Necessary for the performance of a contract that benefits the person whose personal data is transferred
You are allowed to transfer personal data to a third country if that is necessary for the performance of a contract that benefits the person whose personal data the transfer involves. For this exception you also need to have an appropriate safeguard in place if you regularly plan to transfer personal data to a third country. This exception does not apply to public authorities.
13. Important reasons of public interest
You are allowed to transfer personal data to a third country if an EU or Dutch law states or implies that a transfer to a third country is allowed for important reasons of public interest. This could be applicable in the case of an international agreement or convention. This will mostly apply to public authorities or bodies.
14. Legal claims
You are allowed to transfer personal data to a third country if this is necessary to defend a legal claim, which can be a claim in private law, criminal law or administrative law. What a legal claim is can be interpreted widely. This exception only applies to incidental transfers of personal data.
15. Protecting vital interests
You are allowed to transfer personal data to a third country if this is necessary to protect the vital interests of the involved data subject. This obliviously only applies to incidental transfers. Vital interests imply life or death situations where immediate medical care is required. For example, if a patient is unconscious and needs to be brought outside of the EEA for a special medical treatment, you can (if the doctor-patient confidentiality allows this) share the medical history of this patient with the medical centre outside of the EEA if that is necessary to save the data subject's life. You cannot rely on this exception if the data subject is physically and legally able to provide consent.
16. Transfer from a public register
You are allowed to transfer personal data from public registers (this does not include registers kept by private companies!) to a third country. An example of a public register in the Netherlands is the Kadaster. The personal data transfer must be in accordance with the rules that apply to the disclosure of information from the public register. If access to the public register is only given to those with a legitimate interest, you must make the same assessment. You should also consider the risks of transferring the personal data to a country with a lower level of data protection in that assessment.
17. One-off transfer for compelling legitimate interests
The last possible exception is that of compelling legitimate interests. If you have compelling legitimate interests for which the transfer of personal data to a third country is absolutely necessary, you may be able to rely on this exception to transfer personal data to a third country. This only applies in exceptional circumstances and is only meant for a very incidental transfer of personal data. This exception should be interpreted very strictly.
For this exception to apply, all the following conditions need to be met:
- There must be no adequacy decision which could apply;
- You must be unable to use any of the other appropriate safeguards and you must have taken these safeguards into serious consideration, even if that would involve significant financial and time consuming investments;
- None of the other exceptions can apply and you have seriously considered them;
- The transfer can only be very occasional;
- The transfer may only involve a very limited number of individuals;
- The transfer must be necessary for your compelling legitimate interests;
- Your compelling interests must outweigh the rights and freedoms of the individuals and you must have assessed this fully and recorded this assessment in a document;
- You must have provided suitable safeguards such as non-disclosure agreements, technical measures, pseudonymisation, encryption, etc.;
- You must have informed the supervisory authority of this transfer;
- You must have informed the data subject of the transfer and explained your compelling legitimate interests.
