As the world recovers from COVID-19, international travel has picked up again causing airport havoc across the globe. However, some international transfers have continued without interruption –invisible, but significant flows. These are the cross-border personal data transfers that happen every day, mostly without public awareness. In this article, we explain what these transfers are and how you can follow the European data protection regulations when you have to transmit personal information internationally.
The European General Data Protection Regulation (GDPR) devotes an entire chapter to cross-border personal data transfers. Sanctions for breaching data protection rules are severe: the penalty for cross-border transfer violations is up to €20 million, or up to 4% of the annual global turnover of the preceding fiscal year, whichever is higher. A crucial reason to strictly comply with GDPR provisions.
So how can you ensure you follow the GDPR rules and avoid any fines?
First, you need to find out if you are carrying out cross-border data transfers.
If you only collect personal data from individuals in the European Union (EU) and do not share any personal data within the EU Member States, you are not subject to cross-border transfer rules – however, you still need to comply with other GDPR's provisions.
If you export personal data from the EU or if you further transfer personal data already exported from the EU within or between third-party jurisdictions, you are subject to regulations on cross-border data transfers.
If you participate in such cross-border data transfers, you need to define the basis for these transfers. The EU regulation provides for adequacy decisions, i.e., decisions on the appropriate level of data protection in a third-party country. If an adequacy decision exists, you can transmit EU personal data without any specific authorisation or additional safeguard measure, because the laws of the relevant country offer similar protection to the GDPR. In other words, the data transfer will be assimilated to intra-EU data transmissions as these pre-approved countries have recognised conditions that protect the data once received. To know more about adequacy decisions in place, visit the published EU guide on adequacy decisions on personal data.
If you engage in cross-border data transfers, but there is basis for an adequacy decision, you can rely on appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals (Art. 46 GDPR) to fulfil your cross-border data transfer.
Such appropriate safeguards foreseen by the EU regulation include:
Binding corporate rules:
This mechanism is a useful alternative for a group of companies to ensure compliance of intragroup data transfers. These rules include the provisions on the transfer and processing of personal data within members of a group and are subject to approval by a supervisor authority.
Standard data protection clauses (known as Standard Contractual Clauses, or "SCC"):
The European Commission has approved some standard clauses for personal data transfers which may be found here. Additionally, Data Protection Authorities may adopt standard data protection clauses after approval by the European Commission.
Approved code of conduct or approved certification mechanism:
These are two alternative instruments you can also apply to your cross-border data transfers when the personal data importer has committed to apply the proper data protection safeguards.
The GDPR also allows certain but limited exemptions to the above mechanisms to legitimise your cross-border data transfers. The most useful for businesses are "explicit consent by the data subject" and the "necessity of the transfer for conclusion or performance of the contract".
You must always be compliant with the applicable regulations as any breaches in data protection domain will cost a significant amount. The regulation provides for various mechanisms to ensure the legality of your cross-border data transfers providing that you ensure the right safeguards for data protection. If you have any questions, please contact our team as we can help you with this and other matters.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.