Transferring personal data abroad is happening very often in today’s globalized world, concerning a considerable amount of companies running their business internationally. This phenomenon is fostered by dynamic development of modern technologies, which allow companies to share their data throughout its group in real time without additional costs. Virtually all branches of multinational enterprises share certain personal data with other branches and also with a parent company that manages their worldwide business.
Given that cross-border transfer of personal data is more frequent and much more sophisticated due to the recent development of modern technologies, the EU legislators decided to react to this situation. This has been done by modification of the relevant rules for personal data transfers in the General Data Protection Regulation (the “GDPR”). The aim of this article is to provide a brief summary of these modified rules and recommendations on how to effectively address the issue in practice.
When we are talking about transfers of personal data abroad, we mean transfers to third countries, i.e. non-EU countries. There is no need to regulate data transfers within the EU as the legal framework for personal data protection is fully harmonized after GDPR. A transfer of personal data to a third country is any communication, disclosure or other provision of personal data to the controller, processor or other recipient in a third country outside the EU, regardless where the data are physically stored. To legally transfer data to third countries, the conditions of at least one of the legal grounds defined in GDPR have to be met. These legal grounds are as follows:
- transfer based on an adequacy decision,
- transfer based on appropriate safeguards and
- transfer based on exemptions for specific situations.
Transfers on the basis of an adequacy decision
If the European Commission decides that a third country ensures adequate level of protection, it is possible to transfer personal data to such country without any specific authorization. One exemption is the US, where it is necessary to meet additional conditions. It is currently possible to transfer data on this basis only to Andorra, Argentina, Canada, Switzerland, Israel, USA, Uruguay, the Faroe Islands and Guernsey Islands, Man and Jersey.
Transfers subject to appropriate safeguards
GDPR distinguishes between two categories of appropriate safeguards based on which transfers to third countries may be carried out. The first category includes those safeguards that must be approved or are created by a Supervisory Authority or by the European Commission. Once these safeguards are approved, they can be used as such. These are as follows:
- binding corporate rules,
- standard contractual clauses,
- approved code of conduct,
- approved certification mechanism.
The binding corporate rules is a document that sets out common binding rules for holding groups or groups of companies conducting joint economic activity. These internal rules have to include, in particular, a specification of the type of data transfers, an indication of the third countries, the liability of individual companies involved, and other matters.
The standard contractual clause is a sample text of a contract that a controller or a processor from the EU should enter into with a controller or a processor from a third country. This text may be incorporated into another contract or business terms or used as a separate contract. Currently, there are standard clauses adopted by the European Commission on the basis of the formerly valid Personal Data Protection Directive which remain in force and can be used. However, it should be noted that the validity of these clauses is currently being reviewed by the CJEU and may therefore be declared as invalid by that court. In the past, the CJEU has already abolished previously used rules for the transfer of personal data to the US and it is not excluded that this will happen in this case again. The approved codes of conduct and the certification mechanism are a dead letter of law at the moment. Currently, there is a code of conduct only for cloud services, and certification mechanisms do not work in practice at all so far.
The second category of appropriate safeguards includes custom contractual clauses, which the parties prepare themselves. However, these clauses have to be approved by the Supervisory Authority before they can be used as a basis for data transfers to third countries.
Transfers based on derogation for specific situations
In cases where there is neither decision on adequacy, nor appropriate safeguards described above, a transfer shall take place only in the following situations:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
What is the most effective way to solve transfers of data to third countries?
The answer to this question depends on the particular situation. The use of one of the abovementioned exceptions would be appropriate in cases where an organization normally does not transfer personal data to third countries, but a rare situation occurs that requires a third-country transfer. However, also regular transfers that qualify for one of the exceptions may be based on this legal ground.
In most cases, however, it would not be possible or practical to use one of the exceptions. The easiest way, then, is to use standard contractual clauses as a basis for transfers. However, it is worth mentioning the ongoing review by the CJEU again. If an organization chooses to use the current standard clauses and these are subsequently invalidated, the contractual relationships will need to be re-set. This might be time consuming and administratively demanding.
Binding corporate rules would be the most appropriate instrument for multinational groups where data transfers abroad are a regular part of their business. In these cases, it certainly makes sense to adopt unified, sophisticated and robust rules that govern all the transfers. Custom clauses can be recommended in those cases where standard contractual clauses are inadequate, and adopting binding corporate rules would be an unnecessarily robust solution.