Get ready for GDPR: cross-border data transfers

What steps can you take now to prepare for the new GDPR rules on cross-border data transfers?

05 September 2017
Data transfers

Our 'Get ready for GDPR' updates are designed to outline what you can do now to prepare for compliance with GDPR, which comes into force on 25 May 2018. If you would like us to notify you when new updates are available, please sign up for email alerts.  

Cross-border data transfers: what you need to know

Does your organisation transfer personal data outside of the European Economic Area? (eg online and cloud services)? Do you have suppliers or storage systems which may transfer data internationally? If so, you need to ensure that you comply with the data transfer regulations under GDPR.

The current Data Protection Directive imposes restrictions on data transfers. GDPR will also restrict transfers of personal data to third countries (i.e. outside of the EEA) which could impact organisations that operate internationally. 

This article outlines the circumstances in which data transfers will be permitted, changes introduced in GDPR and what you can do now to prepare for compliance. 

Each transfer of personal data that is not GDPR-compliant could result in a fine of up to 4% of your organisation's worldwide annual turnover.

When are cross-border data transfers permitted?

Both the current Data Protection Directive and GDPR allow the transfer of personal data under certain circumstances.

Recipient country is declared 'adequate'

Currently, data transfers are allowed to a third country if the European Commission decides it has 'adequate' safeguards for personal data protection. GDPR goes further, allowing transfers to individual territories or sectors within a third country if they have been deemed adequate. 

Standard contractual clauses

Transfers are permitted if there are standard contractual clauses adopted by the European Commision or a supervisory authority (and approved by the Commission), or authorised by a supervisory authority.

Binding Coprorate Rules (BCRs)

BCRs allow various legal entities within a corporation (eg a multinational) to transfer personal data. BCRs can also be used by a group of enterprises engaging in a joint economic activity. Under GDPR, BCRs will need to be approved by a supervisory authority according to rules laid out in GDPR's consistency mechanism.

Codes of conduct and certification schemes

Under GDPR, transfers are permitted under codes of conduct and certification schemes drawn up by industry associations or representative bodies. These must be approved by a supervisory authority. 

Ad hoc safeguards

Ad hoc data protection safeguards may also be agreed if they are approved by the relevant supervisory authority. 

Specific derogations 

Like its predecessor, GDPR will also include specific exemptions for data transfers which apply when:

  • the data subject explicity consents to the transfer (and is aware of the risks)
  • the transfer is needed for the performance of a contract
  • the transfer is deemed necessary for reasons of public interest
  • the transfer is necessary in relation to a legal claim
  • the transfer is necessary to protect the data subject's vital interests (eg their life)
  • the transfer is made from a public register established by law in the European Union or a member state
  • the transfer is necessary for the 'legitimate interests' of the data controller. These interests must not supersede the rights of the data subject. The data controller must asses all circumstances of the transfer and provide reasonable safeguards to protect the personal data. 

What can you do now?

Tick icon
Audit your data flows Do you transfer data beyond the EEA? Where does it go and how do you transfer it?
Tick icon
Demonstrate compliance Think about how your organisation can prove compliance with GDPR.
Tick icon
Talk to your suppliers Ensure that your suppliers are getting ready to comply with GDPR. Review your contracts.
Tick icon
Review your privacy notices Ensure your privacy statements meet the requirements set out in GDPR.
Tick icon
Investigate BCRs Is your organisation multinational? Consider using Binding Corporate Rules for data transfers.
Tick icon
Codes of conduct and certification schemes Are there any associations or bodies in your sector with which you could develop codes of conduct/certification schemes?

Sign up for GDPR updates

We'll email you as soon as our next GDPR update is available.

*
*
*
*
*

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection