In addition to the processing of personal data within the member states and the EEA, the GDPR (General Data Protection Regulation (EU) 2016/679) regulates in Chapter 5, among other things, the admissibility requirements for transfer or processing in so-called third countries, in short, international data transfer.
It does not matter whether the recipient is a state or private entity.
In practice, this is particularly relevant for the choice of server location, as well as for that of a possible processor. These specifications also play an equally important role in the implementation of certain applications on the website. To mention US companies such as Google, Meta, etc.
The GDPR lists 3 legal bases for a third country data transfer, which ensure that the level of protection of personal data is maintained in any case.
This is the adequacy decision, the existence of appropriate safeguards, as well as the exceptions for certain cases. It should be noted that these legal bases are a prerequisite for a compliant data transfer to a third country, but nevertheless the entire provisions of the GDPR apply to each transfer.
The adequacy decision is a formal decision issued by the European Commission that determines that data protection in a third country is equivalent to that in the EU/EEA. This adequacy has been established, for example, regarding Switzerland.
The United States, on the other hand, does not provide an adequate level of protection for personal data (the previously effective EU-U.S. Privacy Shield was declared invalid by the CJEU on 16.07.2020) because the authorities can legally access the personal data at any time.
If it is a third country for which the European Commission has not issued an adequacy decision, the existence of other appropriate safeguards is another possibility to carry out a lawful data transfer to a third country.
Of particular relevance are the EU standard data protection clauses, which are approved as a set of rules by the EU Commission and the supervisory authorities. This blanket set of rules can be used directly between the controller and the processor without further approval. From 27 December 2022, the new standard data protection clauses must also be used.
It should be noted that those third countries must ensure an adequate level of protection of personal data, which means that the law or practice of the respective third country does not affect the effectiveness of the appropriate guarantee.
If there is neither an adequacy decision nor suitable safeguards, the GDPR mentions some exceptions for certain cases that allow data to be transferred to third countries on a case-by-case basis. At this point, you will find, among other things, the consent of the data subject or the necessity of the data transfer for the fulfilment of the contract.
The first legal basis of the adequacy decision offers a fast, legally secure implementation, as the EU Commission confirms the level of protection of that third country and consequently no separate assessment is required.
The following two other legal bases must always be assessed in terms of the level of protection of the specific third country. This leaves a certain amount of room for interpretation.
Violations of the provisions on the transfer of personal data to third countries are subject to fines of up to EUR 20 million or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous financial year. The most recent and a very prominent example is the record fine of EUR 1.2 billion recently imposed on the Facebook group "META".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
