As a result of expanding international trade and collaboration due to globalization, an increasing amount of personal data is being transferred to and from countries outside the EU and international organizations.

This has raised challenges and concerns for how that data is being protected during and after transfer. 

To maintain the level of data protection ensured by GDPR for EU residents, this regulation includes strict conditions for transferring personal data outside of the EU or European Economic Area (EEA).

Data Transfer Requirements

In cases where personal data is transferred outside of the EU or EEA, GDPR requires the relevant organizations (i.e., data importer and data exporter organizations) to adopt appropriate data protection safeguards that include technical and organizational measures.  

Data transfers are allowed if the European Commission (EC) reached an adequacy decision about the country where the receiver is based. That means, the EC reviewed the non-EU state’s laws and regulations and found that they provided an adequate level of personal data protection.  

In the absence of an adequacy decision, data transfers are allowed to non-EU states in the following cases: 

  • The transfer is covered by the appropriate safeguards listed in GDPR Article 46
  • You have informed the data subject of possible risks and have their explicit consent
  • The data transfer is necessary to fulfill contractual obligations with the data subject
  • The data transfer is in the public interest or will protect an individual’s vital interests
  • The data transfer is required to establish or defend a legal claim
  • The transfer is being made from a public register
  • It’s a one-off transfer that is in your legitimate interest

Example

If data that is protected by the GDPR is transferred to countries outside the EU and/or stored there, the rules protecting that data continue to apply. This is one reason why this legislation may impact businesses all over the world, despite its scope being limited to EU residents’ personal data.

Let’s take a look at an example of a business that must comply with GDPR data transfer requirements below. This is based on an example posted by the EC. 

A company based in France is planning to expand its services to Argentina, Uruguay, and Brazil. Both Argentina and Uruguay have been declared adequate by the EC. Brazil has not been the subject of an adequacy decision. How can the French company transfer to all three companies while complying with GDPR data transfer requirements?

The French company would be able to transfer personal data to Argentina and Uruguay without any additional safeguards because they have been declared adequate. In order to transfer data to Brazil however, the company would have to provide appropriate safeguards, like binding corporate rules or agreements containing contractual clauses that ensure organizational and technical safeguards are in place.

FAQs

What constitutes a data transfer under GDPR?

Under GDPR, a processing of personal data constitutes as a data transfer to a third country (ie. a country outside the EEA) or international organization if it meets the following three criteria:

  • The data controller or processor (or "data exporter") is subject to the GDPR for the given processing.
  • The "data exporter" transmits or otherwise makes personal data available to a “data importer”.
  • The “importer” is in a third country outside the EEA, or is an international organization.

What does the adequacy decision mean?

An adequacy decision means that a third country has been declared as offering an equivalent level of protection for personal data as the EU by the European Commission, so a data exporter can transfer data to a company in that country without needing to adopt further data protection safeguards or being subject to additional conditions.

Can you transfer data outside the EU according to GDPR?

Yes, but only if the EC reached an adequacy decision about the country where the receiver is based or it matches one of the cases below:

  • The transfer is covered by the appropriate safeguards listed in GDPR Article 46
  • You have informed the data subject of possible risks and have their explicit consent
  • The data transfer is necessary to fulfill contractual obligations with the data subject
  • The data transfer is in the public interest or will protect an individual’s vital interests
  • The data transfer is required to establish or defend a legal claim
  • The transfer is being made from a public register
  • It’s a one-off transfer that is in your legitimate interest