Understanding transfer mechanisms in GDPR

Let’s start with the basics on how you can make lawful transfer of personal data from the EEA to the rest of the world. It’s worth noting that the transfer of personal data means both that information is accessible by or transferred to parties outside of the EAA. Any country outside of the EEA is defined as a third country in the GDPR. Chapter 5 in the GDPR starts by saying that transfers to a third country or international organization is only legal if one of the conditions or transfer mechanisms in that chapter is met. 

The first transfer mechanism is that the third country, or the international organization in question, ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. The European Commission has a list of third countries it deems adequate on their website. Their assessment of adequacy is based on that country’s rule of law concerning human rights and freedoms. This is the current list as of Feb 2021:  Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The USA was removed from this list when Edward Snowden showcased privacy issues concerning the US’ approach to internet surveillance. 

Not all countries can assure a similar data protection to the GDPR like those on the list, hence there are a few other transfer mechanisms in place. Another transfer mechanic is ensuring there is an appropriate safeguard in place. The two most common safeguards are the Standard Data Protection Clauses and Binding Corporate Rules.

Standard Data Protection Clauses

The European Commission has issued two sets of standard contractual clauses for transmitting personal data from one controller in the EU to another controller in a third country, and one set for controller to processor transfers. The standard contractual clauses are basically a contract template of clauses that you can use on their own or incorporate in a wider contract if you do not modify the clauses or add contradictory clauses. The clauses regulate things commonly seen in Data Protection Agreements, for example, reporting commitments in case of a personal data breach.

Binding Corporate Rules (BCR)

Written policies or rules that international organizations create for themselves to be able to regulate their transfer of personal data outside of the EU within their group of undertakings or enterprises. The main supervisory authority for the international organization must review and authorize the BCR before it can be used as a transfer mechanism under GDPR. For BCR rules to be valid, the international organization must be able to comply with their BCR in practice.

The European Data Protection Board (EDBP) recently released new recommendations following the Schrems II judgement, saying that transfer mechanics do not operate in a vacuum and may need to be supplemented with other measures if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards or transfer mechanics. They do not say anything on what those measures are. 

An Example
Erlanders Group is among the first international organizations in Sweden to have their BCR accepted by the Swedish supervisory authority and may freely transfer personal data within their group. However, they also say that the Erlanders Group must adhere to their BCR in practice and verify that the law of the importing third country makes it possible to provide a level of protection of personal data that is broadly equivalent to that provided within the EU. They also mention that a risk assessment should be used for determining the safeguards in the third country regarding the data subject’s rights and freedoms.

Security regulations and protocols, like GDPR, are continually updated and reassessed. The European Commission takes personal data of its citizens very seriously and penalizes organizations that are not up to date and following protocols, no excuses granted. Understanding GDPR, transfer mechanisms and rules like BCR is a marathon, which is why secure cloud platform hosts like our team at Complior focus entirely on data protection and certification protocols. Working behind the scenes with an ear on government regulations and solutions when changes come down the pipeline for your organization long before you’ve even read about them is the name of our game.

For more resources about GDPR on our site you can click here, or better yet reach out to our team directly with your questions and concerns here. Excellence in regulation, hosting and exceptional customer service is our core business, let us give you the space to get back to your core.