• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Email: accace@accace.com

Contact us
Sign up for news
  • Locations
  • Websites
    • Global (English)
    • Global (German)
    • Czech Republic
    • Germany
    • Hungary
    • Poland
    • Romania
    • Russia
    • Slovakia
    • South Africa
    • Ukraine
    • United States of America (USA)
  • eShop

Accace - Outsourcing and advisory services

  • Services
    • OUTSOURCING
    • Accounting and reporting
    • Accounting online portal
    • Payroll and HR administration
    • Payroll and HR online portal
    • Time and attendance online portal
    • ADVISORY
    • Tax advisory
    • Transaction advisory
    • Legal advisory
    • Corporate and secretarial
    • Advisory online portal
    • MARKET ENTRY SUPPORT
  • COVID-19
  • About us
    • Who we are
    • Case studies
    • Meet our key People
    • Partner with us
    • Corporate Social Responsibility
  • Careers
    • Open positions
    • Who we are
    • Our values
    • Success stories
    • How we care
    • How we act
    • We volunteer
  • Newsroom
  • Events
  • Locations

Transfer of personal data abroad | News Flash

2 Nov 2018

Download PDF

Transferring personal data abroad is happening very often in today’s globalized world, concerning a considerable amount of companies running their business internationally. This phenomenon is fostered by dynamic development of modern technologies, which allow companies to share their data throughout its group in real time without additional costs. Virtually all branches of multinational enterprises share certain personal data with other branches and also with a parent company that manages their worldwide business.

Given that cross-border transfer of personal data is more frequent and much more sophisticated due to the recent development of modern technologies, the EU legislators decided to react to this situation. This has been done by modification of the relevant rules for personal data transfers in the General Data Protection Regulation (the “GDPR”). The aim of this article is to provide a brief summary of these modified rules and recommendations on how to effectively address the issue in practice.

Introduction

When we are talking about transfers of personal data abroad, we mean transfers to third countries, i.e. non-EU countries. There is no need to regulate data transfers within the EU as the legal framework for personal data protection is fully harmonized after GDPR. A transfer of personal data to a third country is any communication, disclosure or other provision of personal data to the controller, processor or other recipient in a third country outside the EU, regardless where the data are physically stored. To legally transfer data to third countries, the conditions of at least one of the legal grounds defined in GDPR have to be met. These legal grounds are as follows:

  1. transfer based on an adequacy decision,
  2. transfer based on appropriate safeguards and
  3. transfer based on exemptions for specific situations.

Transfers on the basis of an adequacy decision

If the European Commission decides that a third country ensures adequate level of protection, it is possible to transfer personal data to such country without any specific authorization. One exemption is the US, where it is necessary to meet additional conditions. It is currently possible to transfer data on this basis only to Andorra, Argentina, Canada, Switzerland, Israel, USA, Uruguay, the Faroe Islands and Guernsey Islands, Man and Jersey.

Transfers subject to appropriate safeguards

GDPR distinguishes between two categories of appropriate safeguards based on which transfers to third countries may be carried out. The first category includes those safeguards that must be approved or are created by a Supervisory Authority or by the European Commission. Once these safeguards are approved, they can be used as such. These are as follows:

  1. binding corporate rules,
  2. standard contractual clauses,
  3. approved code of conduct,
  4. approved certification mechanism.

The binding corporate rules is a document that sets out common binding rules for holding groups or groups of companies conducting joint economic activity. These internal rules have to include, in particular, a specification of the type of data transfers, an indication of the third countries, the liability of individual companies involved, and other matters.

The standard contractual clause is a sample text of a contract that a controller or a processor from the EU should enter into with a controller or a processor from a third country. This text may be incorporated into another contract or business terms or used as a separate contract. Currently, there are standard clauses adopted by the European Commission on the basis of the formerly valid Personal Data Protection Directive which remain in force and can be used. However, it should be noted that the validity of these clauses is currently being reviewed by the CJEU and may therefore be declared as invalid by that court. In the past, the CJEU has already abolished previously used rules for the transfer of personal data to the US and it is not excluded that this will happen in this case again. The approved codes of conduct and the certification mechanism are a dead letter of law at the moment. Currently, there is a code of conduct only for cloud services, and certification mechanisms do not work in practice at all so far.

The second category of appropriate safeguards includes custom contractual clauses, which the parties prepare themselves. However, these clauses have to be approved by the Supervisory Authority before they can be used as a basis for data transfers to third countries.

Transfers based on derogation for specific situations

In cases where there is neither decision on adequacy, nor appropriate safeguards described above, a transfer shall take place only in the following situations:

  1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  4. the transfer is necessary for important reasons of public interest;
  5. the transfer is necessary for the establishment, exercise or defence of legal claims;
  6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

What is the most effective way to solve transfers of data to third countries?

The answer to this question depends on the particular situation. The use of one of the abovementioned exceptions would be appropriate in cases where an organization normally does not transfer personal data to third countries, but a rare situation occurs that requires a third-country transfer. However, also regular transfers that qualify for one of the exceptions may be based on this legal ground.

In most cases, however, it would not be possible or practical to use one of the exceptions. The easiest way, then, is to use standard contractual clauses as a basis for transfers. However, it is worth mentioning the ongoing review by the CJEU again. If an organization chooses to use the current standard clauses and these are subsequently invalidated, the contractual relationships will need to be re-set. This might be time consuming and administratively demanding.

Binding corporate rules would be the most appropriate instrument for multinational groups where data transfers abroad are a regular part of their business. In these cases, it certainly makes sense to adopt unified, sophisticated and robust rules that govern all the transfers. Custom clauses can be recommended in those cases where standard contractual clauses are inadequate, and adopting binding corporate rules would be an unnecessarily robust solution.

Do you need assistance in GDPR issues? Contact our team!

CONTACT

Ondřej Lukeš
Associate | Czech Republic
Tel: +420 222 753 480
E-mail: ondrej.lukes@accace.com

Related news

Report on relations in the Czech Republic

on 22 February 2021, in Czech Republic, Legal and corporate, Local news
Read more

10 Facts about taxation in the Czech Republic | Infographic

on 17 February 2021, in Czech Republic, Infographics, Regional Studies, Taxation
Read more

2021 payroll calculator for the Czech Republic

on 15 February 2021, in CALCULATORS 2020, Czech Republic, Payroll, HR and Labour Law
Read more

What impacts does the 2021 Czech tax package have on the taxation of natural persons in practice? | News Flash

on 20 January 2021, in Czech Republic, News Flash, Other industries, Regional Studies, Taxation
Read more

2021 Tax Guideline for the Czech Republic

on 19 January 2021, in Country guidelines and eBooks, Czech Republic, Taxation
Read more

Value-added tax in the Czech Republic | eBook

on 08 January 2021, in Country guidelines and eBooks, Czech Republic, Taxation
Read more

Labour Law and Employment in the Czech Republic – 2021 Guide

on 07 January 2021, in Country guidelines and eBooks, Czech Republic, Payroll, HR and Labour Law
Read more

2021 Transfer Pricing Overview for the Czech Republic

on 07 January 2021, in Country guidelines and eBooks, Czech Republic, International transactions
Read more

2021 Tax Calendar | Czech Republic

on 07 January 2021, in Calendars, Czech Republic, Other industries, Taxation
Read more

Changes in travel reimbursement in the Czech Republic from 1 January 2021 | News Flash

on 05 January 2021, in Czech Republic, News Flash, Other industries, Payroll, HR and Labour Law, Regional Studies
Read more

Minimum, average and guaranteed wage for 2021 in the Czech Republic | News Flash

on 04 January 2021, in Czech Republic, Local news, News Flash, Other industries, Payroll, HR and Labour Law
Read more

Czech Tax Package 2021: Overview of Proposed Changes | News Flash

on 10 December 2020, in Czech Republic, Local news, News Flash, Other industries, Taxation
Read more

Hard Brexit from the Czech point of view: VAT and customs duty application from 1.1.2021 | News Flash

on 09 December 2020, in Czech Republic, Local news, News Flash, Other industries, Taxation
Read more

Doing business in the Czech Republic is about to get easier | weBlog

on 19 November 2020, in Articles and expert opinions, Czech Republic, Local news, Other industries, WeBlog
Read more

Czech approach to the impacts of Brexit on premiums as of January 2021 | News Flash

on 13 November 2020, in Czech Republic, Local news, News Flash, Other industries, Taxation
Read more

Abolition of real estate acquisition tax and planned tax amendment for 2021 in the Czech Republic | News Flash

on 15 October 2020, in Czech Republic, Local news, News Flash, Other industries, Taxation
Read more

How to correctly calculate the average earnings in the Czech Republic? | News Flash

on 05 October 2020, in Czech Republic, News Flash, News per country, Other industries, Payroll, HR and Labour Law
Read more

Coronavirus from the perspective of Czech labour law | eBook

on 19 March 2020, in Country guidelines and eBooks, COVID, Czech Republic, Local news, Other industries, Payroll, HR and Labour Law
Read more

2020 Company Formation in the Czech Republic

on 24 January 2020, in Country guidelines and eBooks, Czech Republic, Legal and corporate
Read more

“Quick fixes“ – VAT news for 2020 in the Czech Republic | News Flash

on 22 January 2020, in Czech Republic, News Flash, Other industries, Payroll, HR and Labour Law
Read more

Primary Sidebar

<< Back to newsroom

NEW TO THE MARKET?

Use the free consultancy delivered by our in-country experts to get you prepared.

See what is included and schedule your call now!

We only need your email

Footer

About Accace

Originally established in Central and Eastern Europe in 2006, Accace ranks among the leading outsourcing and consultancy providers in the region. Engaging over 600 experts, we have vast experience with handling small to large scale, multi-country outsourcing projects and providing a comprehensive range of our services to over 2,000 customers.

About Accace Circle

Accace operates internationally as Accace Circle, a co-created business community of like-minded BPO providers and advisors who deliver outstanding services with elevated customer experience. Covering almost 40 jurisdictions with over 2,000 professionals, we support more than 10,000 customers, mostly mid-size and international Fortune 500 companies from various sectors, and process at least 170,000 pay slips globally.

Locations and contacts | Accace Circle

Our services

Accounting and reporting
Payroll and HR administration
Tax advisory
Transaction advisory
Legal advisory
Corporate and secretarial

Our eShop

Market entry support
See full list of services

Our online portals

Accounting portal
Payroll and HR portal
T&A portal
Advisory portal

Get in touch with us

Locations and contacts
Contact us
Sign up for news
Newsroom
Careers


Follow us

Facebook LinkedIn Twitter Instagram Youtube


Accace Circle

© Accace all rights reserved | Code of conduct | General Disclaimer | Disclaimer Newsroom | Cookie policy | Privacy policy | GDPR Statement

Get free access to
valuable insights
expert knowledge

Our legislation updates make it easy for you to keep on top of the latest changes affecting your business. Receive our articles, opinions, tips, industry news, country profiles, regional overviews and studies, latest events and even more, directly into your mailbox.

Check out our Newsroom to see what is included!

We only need your email

We will send you only relevant information we consider may be of your interest and treat your personal data in compliance with our Privacy policy and GDPR statement.

Unable to subscribe?  Try this page.

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies. Find out more.