International Data Transfer to Third Countries

Free flow of personal data is not restricted if data are transferred within the European Economic Area.

Transfers are possible with Model Contracts (the contractual clauses set out in Commission Decision C (2010) 593, Commission Decision C(2004) 5271 and Commission Decision C(2001) 1539). In case of inter-company transfer, Binding Corporate Rules (BCRs) can be used as legal bases of transfer. Austria is a mutual recognition country.  Consent of the data subject also provides legal bases for transferring data to third countries.

Contractual clauses

There are two possibilities: the European Commission’s standard contractual clauses or contractual clauses proposed by the company in question.

To help controllers, the European Commission has provided for standard contractual clauses that are automatically considered as sufficient safeguards in light of the applicable data protection rules. Contracts copying one of the European Commission’s standard contractual clauses can be used without need of ratification by Royal Decree, nor by a specific authorisation by the DPA.

 

Alternatively, the companies can propose their own contractual clauses with sufficient data protection safeguards. These clauses have to be submitted to the Belgian Data Protection Authority according to article 46.3.a) of the GDPR and subsequently these clauses will have to be approved by the European Data Protection Board in accordance with article 46.4 GDPR through the consistency mechanism

Binding Corporate Rules (BCRs)

If multinationals wish to put in place data transfers within their own company and some of their establishments are outside the European Economic Area, they can also offer sufficient data protection safeguards by means of internal codes of conduct (Binding Corporate Rules). Binding Corporate Rules allow companies to exchange personal data within their corporate structure, whilst complying with the GDPR.

In Art. 47 (2) of the GDPR are laid out the minimum requirements, which BCRs should specify:

  1. the structure of the group of undertakings/enterprises engaged in the joint activity and the contact details of each member
  2. the full details of the data transfers
  3. the third country or countries in question
  4. their legally binding nature
  5. the application of the GDPR
  6. the rights of data subjects in regard to processing and the means to exercise those rights
  7. the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union, unless they can prove they are not connected with the incident in the first place
  8. the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
  9. the cooperation mechanism with the supervisory authority
  10. the mechanisms for reporting to the competent supervisory authority any legal requirements originating in the third country or countries and which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules
  11. the appropriate data protection training to personnel having permanent or regular access to personal data

Please visit: https://gdpr-info.eu/art-47-gdpr/

Exceptions established by law

According to Chapter 3 of the GDPR, there are some exception according to which international data transfers can be made without adequate protection:

  • The data subject has given his unambiguous consent to the proposed transfer
  • The transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject’s request
  • The transfer is necessary for the conclusion or performance of a contract concluded in the data subject’s interests between the data controller and a third party
  • The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims
  • The transfer is necessary to protect the data subject’s vital interests
  • The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in that particular case.

Please visit: https://gdpr-info.eu/chapter-5/

The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018).