Further Reading: Transfers of personal data out of the EU/EEA

The protection provided by the GDPR is intended to travel with the Personal data whether within or outside of the EU/EEA.

  • Transfers can be made within the EU/EEA without additional controls (although there is a need to identify the lead Supervising Authority)
  • Transfers can be made to other “third countries” where the EU has granted a certificate of adequacy – renewable every 4 years
  • Save for infrequent transfers, any transfers of personal data must be protected by:
    • a legally binding and enforceable instrument between public authorities or bodies, or;
    • binding corporate rules, or;
    • standard contract clauses, or;
    • approved codes of conduct or other approved mechanisms;
  • A one off or infrequent transfers can be made based on a number of derogations for specific situations:
    • except for public authorities, made with the individual’s explicit consent;
    • except for public authorities, necessary for the performance of a contract in some circumstances;
    • necessary for important reasons of public interest;
    • necessary for the establishment, exercise or defence of legal claims;
    • necessary to protect the vital interests;
    • from a register which under UK or EU law is intended to provide information to the public

Transfers of personal data to third countries (other than stated as above) should not be made in accordance with a judgment of a court or tribunal or any decision of an administrative authority of a third country requiring a controller or processor unless it is based on an international agreement or treaty.

Transfers of personal data to the US were until very recently, deemed compliant provided they were made subject to the privacy shield. Following a case brought Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”) and heard in July 2020 the CJEU affirmed the validation of Standard Contract Clauses (SCC’s) and invalidated the Shield. The issue remains live as the difficulty is two fold:  THE NEXT BIT IS MISSING FROM JANE’S DRAFT – SHEET 3


In July 2020 the European Court invalidated the Privacy Shield, and hence all but exempt transfers to the US are now non- THE REST OF THIS SENTENCE IS ALSO MISSING FROM THE END PAGE OF JANE’S DRAFT


FAQ’s on the Schrem’s case:
https://edpb.europa.eu/our-work-tools/our- documents/other/frequently-asked-questions-judgment-court-justice-european-union_en

ICO guidance with an overview of international transfers and links to further reading
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/international-transfers/

Chapter V, Articles (44 to 50) and Recitals (101) to (116) of the GDPR EDPB’s latest guidelines on international transfers:
EDPB guidelines on Adequacy Referential
EDPB guidelines on Binding Corporate Rules for Controllers
EDPB guidelines on Binding Corporate Rules for Processors See also for reference the European Commission Communication on Exchanging and Protecting Personal Data in a Globalised World1, 10 January 2017