Overview
Against the backdrop of expanding international trade, European legislators have imposed special data protection requirements on the transfer of personal data to recipients in socalled third countries, i.e. countries outside the EU or the EEA, in order to protect the rights and freedoms of the individuals concerned. The aim is to ensure that the level of protection for natural persons guaranteed throughout the EU by the General Data Protection Regulation (GDPR) is not undermined when personal data is transferred to third countries. Articles 44 et seq. in Chapter V of the GDPR specify the conditions under which controllers or processors subject to the GDPR may transfer personal data to third countries.
Two-stage assessment for transfers to third countries
If personal data is to be transferred to a third country, a two-stage assessment must be carried out in advance:
- Stage of assessment: Regardless of the specific requirements for data transfers to third countries set out in Articles 45 et seq., are all other data protection requirements complied with? (In other words: Would the data transfer be permissible if it were a purely national or European matter, i.e. if there were no connection to the third country?)
- Stage of the assessment: Compliance with the specific requirements for transfers to third countries?
The requirement for a two-stage assessment arises from Article 44(1) of the GDPR, which requires controllers and processors to comply with the provisions of Chapter V of the GDPR and with the ‘other provisions of this Regulation’. Simply complying with the specific requirements of Chapter V is therefore not sufficient to legitimise the transfer of personal data to a third country.
In addition to justification for the transfer to a third country, the principles of Article 5 of the GDPR must be complied with, as is the case with domestic processing, and there must be a legal basis for the processing in ac-cordance with Article 6 et seq. of the GDPR. Transparency obligations must also be observed, cf. Article 13(1)(f) and Article 14(1)(f) of the GDPR.
The GDPR provides for the following mechanisms in particular to legitimise data transfers to third countries (stage 2):
- Determination of the adequacy of the level of data protection in the third country by the EU Commission (Article 45 GDPR)
The Commission has the option of determining the existence of an adequate level of protection for specific third countries. The determination may also be limited to a specific territory or sector in the third country or to specific categories of data.
In July 2023, the EU Commission determined that, in its view, an adequate level of data protection exists with regard to the transfer of personal data to (self-)certified US companies under the new EU-US Data Privacy Framework (EU-US DPF). For details on the EU-US DPF, see here.
- Existence of suitable safeguards (Art. 46 GDPR), in particular
- Binding internal data protection rules (Binding Corporate Rules)
(Art. 46(2)(b), Art. 47 GDPR) - Standard data protection clauses (SCC) of the EU Commission
(Art. 46(2)(c) GDPR)
or
- Exceptions for specific cases (Art. 49 GDPR)
For details on the conditions under which a transfer to a third country is acceptable, see here.