Understanding transfer mechanisms in GDPR
3 min
Let’s start with the basics of how you can lawfully transfer personal data from the EEA to the rest of the world. It’s important to note that a transfer of personal data includes both making information accessible to, and actively transferring it to, parties outside of the EEA. Any country outside the EEA is defined as a “third country” under the GDPR.
Chapter 5 of the GDPR states that transfers to a third country or international organization are only lawful if one of the specified conditions or transfer mechanisms is met.
Adequacy decisions
The first transfer mechanism is when the third country, or international organization, ensures an adequate level of data protection. Transfer under this mechanism don’t require any specific authoirization and are based on a formal decision by the European Commision.
The Commission maintains a list of countries deemed to provide adequate protection. This assessment is based on factors such as rule of law, human rights, and fundamental freedoms.
As of February 2021, the following were considered adequate:
- Andorra
- Argentina
- Canada (commercial organizations)
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- New Zealand
- Switzerland
- Uruguay
The United States was removed from this list following revelations by Edward Snowden regarding surveillance practices.
Alternative transfer mechanisms
Not all countries meet GDPR adequacy standards. Therefore, alternative mechanisms are required to ensure lawful data transfers.
Standard Contractual Clauses (SCC)
The European Commission has issued standard contractual clauses for Controller-to-controller transfers and Controller-to-processor transfers.
The clauses are pre-approved contract templates, allowed to be used standalone or within broader agreements, required to remain unmodified and not contradicted by other terms. They typically include provision found in Data Protection Agreements, such as obligations to report personal data breaches.
Binding Corporate Rules (BCR)
Binding Corporate Rules are internal policies developed by multinational organizations to regulate transfers of personal data within their corporate group.
Key characteristics must be reviewed and approved by a superviosry authority, apply to intra-group data transfers and require demonstrable compliance in practice.
Impact of Schrems II
The European Data Protection Board (EDPB) released recommendations following the Schrems II judgment. They emphasize that transfer mechanisms do not operate in isolation but must be considered within a broader context. It may therefore be necessary to implement additional safeguards to ensure an adequate level of protection. This is particularly important in cases where the legal system of the third country risks undermining the effectiveness of the chosen transfer mechanism.
However, specific required measures are not clearly defined.
Example: Erlanders Group
Erlanders Group is one of the first international organizations in Sweden to have their BCR approved by the national supervisory authority.
This allows them to freely transfer personal data within their corporate group. However they must also demonstrate compliance with their BCR in practice and ensure that the receiving country provies a level of protection equivalent to the EU. Additionally, a risk assessment should be conducted to evaluate safeguards in the third country, and risks to data subjects’ rights and freedoms.
Staying compliant in a changing landscape
Security regulations and frameworks like GDPR are continuously evolving. The European Commission takes data protection seriously and enforces compliance strictly. Organizations that fail to stay updated risk penalties, regardless of intent. Understanding GDPR transfer mechanism, such as adequacy decisions, SCCs, and BCRs is an ongoing process.
How to stay ahead
Secure cloud platform providers with expertise in compliance can help organizations stay aligned with regulatory developments, implement appropiate safeguards and prepare for upcoming legal changes.
Working proactively with specialists ensures that your organization remains compliant, even before new regulations fully take effect.
For more resources about GDPR on our site you can, or better yet reach out to our team directly with your questions and concerns here. Excellence in regulation, hosting and exceptional customer service is our core business, let us give you the space to get back to your core.