GDPR and International Data Transfers

Did you know that data transfers from and to the European Union (EU) are subject to GDPR compliance? Well, all businesses collecting and processing EU user data outside of the EU must comply with the provisions of the GDPR pertaining to international data transfers. The GDPR contains principles governing data security for transfers of data outside of the EU.  The GDPR requires that any international data transfer may be undertaken only if the third countries (those outside of the EU) implement efficient data protection mechanisms.

Who has to comply

The burden of compliance is on the data controller(s) and the data processor(s) to ensure that the third countries to which personal data is being transferred comply with the GDPR so that the user data protection guaranteed by the GDPR is not undermined. 

What types of organisations are most affected?

These GDPR provisions are intended to apply to the data protection of EU user data, no matter where it is collected, stored, transferred or processed. The GDPR affects all businesses engaged in cross border data transfers, online IT, cloud computing, remote access or global database services.

Are there appropriate safeguards for data transfers?

International data transfer is permissible by having appropriate safeguards in place. Causes of action can be brought by relevant parties whose data was used during said data transfer.

Businesses should establish the following as part of their GDPR compliance program:

  • A list of approved countries for data transfer;
  • Availability of a legally binding agreement between public authorities;
  • Binding corporate rules (agreements governing transfers made between various organizations within a corporate group);
  •  Inclusion of standard data protection clauses in relevant contracts;
  • Compliance with an approved code of conduct; and
  •  Availability of a GDPR certification.

It should be noted that businesses must protect user data even when the above safeguards are in place. 

Can businesses undertake their own assessment of the adequacy of protection?

No. The GDPR requires businesses to closely monitor and adhere to the specific guidelines established in the regulation.

EU-US Privacy Shield

The EU-US Privacy Shield provides a framework for protection of personal EU user data that is transferred to the US for commercial purposes.  The Privacy Shield is in line with the principles outlined in the GDPR. 

This arrangement contains provisions pertaining to:

  • Strong data-protection obligations on businesses receiving data;
  • Safeguards on US government access to data; and
  • A mechanism for an effective protection and redressal for individuals.

Businesses in the US have an option to self-certify and join the Privacy Shield by completing appropriate documentation. Businesses joining the Privacy Shield are required to follow the data protection safeguard measures and make annual compliances reports.  Those businesses committing to compliance with the Privacy Shield are permitted to undertake data transfer from and to the EU without any further approvals and restrictions.

Are there any exceptions available for international data transfers?

Yes.  Cross border transfers are permissible only in the following exceptional situations:

  • Explicit consent from end user: If end user provides an explicit consent after being informed of all possible risks involved in data transfers;
  • Performance obligations: Data transfer is necessary at end user’s request or performance obligation pursuant to contract with end user;
  • Public interest: Public interest causes may preclude data transfer restrictions; and
  • Legal claims: Enforcement of legal claims may also preclude data transfer rules under the GDPR.

Businesses cannot under international data transfers even after obtaining user consent if the transfers are taking place on a large scale.

Conclusion

The GDPR has introduced various compliance mandates in relation to international data transfers.  The GDPR definitely ushers in changes that results in companies doing business differently.  The EU-US Privacy Shield is an opportunity for US businesses to participate and affirm their commitment to user data privacy.  The GDPR provisions require companies to proactively manage their data-transfer programs and to be attentive to any changes on the horizon. If managed correctly, the compliance requirements for international data transfer can benefit companies by showing customers their commitment to remedying privacy issues.

If your organization is concerned about governance, risk mitigation, regulatory compliance, human resources management and ethics, we can help simplify things for you. Call us at 973-520-6131. You can also get in touch on our website at www.riddlecompliance.com. We’re passionate about supporting our clients with respect, transparency, and unparalleled expertise.