What is an international data transfer under the GDPR?

International Data Transfers (EU and Adequacy Decision’s) 

Although, the GDPR alongside the control from the EU commission has included regulations over countries who have the right to transfer and process data into EU countries and vice versa. All EU member states have the right to process data internationally amongst themselves.  

On the other hand, the EU commission has set out it’s power to grant non-EU members with this same right using the ‘Adequacy Decision’. The commission grants the decision to countries, sectors, and territories with an adequate level of national data protection compliance. In addition, a strict criterion is required which assesses: the respect for rule of law, accesses to justice, human rights standard, an effective judicial and democratic doctrine and a close view on any other international obligations or commitments. The commission also can repeal, amend or suspend processing if required. Once the criteria are matched to be deemed ‘adequate’, countries including the UK, Switzerland, Japan and Israel have the authority to freely transfer data within the EU.  

International Data Transfers (Safeguards) 

The question is then asked, how are countries who are not an EU member state or acknowledged under the adequacy decision able to transfer data? Under the GDPR, safeguards have been established to aid countries and individual companies with international data transfers with member states. The adoption of safeguards also allows member states to transfer data to these non-adequate countries.  

1. Standard Contractual Clauses  

The standard contractual clause (SCC) establishes the contractual basis for countries within the EU/EEA to share data with a third party. Although, to ensure the transferred data will be handled and protected by the third country, certain requirements can be placed. For example, in addition to a SCC, a data processing agreement (DPA) can be signed with the other party. this agreement will lay down processes and requirements that must be upheld to processes data. This may include components such: technical and organisational measures, the use of audits and internal compliance practices.  

2. Approved Codes of Conduct and Certification Mechanisms  

Approved codes of conduct are created and revised by associations that represent the data compliance of processors and controllers. These codes of conduct display aid to companies through the application of the GDPR, helping to demonstrate compliance, creates market efficiencies and to facilitate international data transfers. Once this mechanism is applied, the codes are binding and enforceable. This therefore means that once granted, the monitorisation and requirement to remain compliant is mandatory under supervision of the accredited monitoring bodies.  

As for certifications, under article 42 and 43 of the GDPR, a seal or mark of approval is given to a company when they are able to demonstrate an adequate level of compliance. However, this safeguard is subject to renewal every 3 years.  

3. Ad Hoc Contractual Cluses  

For companies who may possess an international chain of branches all around the world (Inside and out of the EEA) the Ad Hoc safeguard is a suitable option for intra data transfers. This applies to companies who engage in joint economic activity and corporate groups. This form of data transfer may be achieved through approval from supervisory bodies and application o Article 47 which addresses the detailed conditions at hand for international transfers.  

To see how All Response Media protects data, see our privacy policy to find out more.

FEATURED READS

Contact us

Find out how our teams across London, Leeds and Amsterdam combine data science with digital and offline advertising to expand your business.

ALL RESPONSE MEDIA SERVICES