International Data Transfer to Third Countries

All personal data transfers to third countries or international organisations follow the rules set in the GDPR, in Chapter V. In the case of an adequacy decision, data transfers do not require specific authorization, otherwise the controller or processor have to “provide appropriate safeguards” before transferring data to third countries.

Adequacy Decisions

Transfer of personal data to third countries or international organisations can take place after the European Commission has assessed and concluded that the third country or the international organisation has an adequate level of protection of personal data. The rules for adequacy assessment are laid out in Art. 45 (2) of the GDPR. The Commission shall consider:

  1. the rule of law, respect for human rights and fundamental freedoms, relevant legislation, data protection rules, professional rules and security measures, case law,
  2. the existence and effective functioning of one or more independent supervisory authorities responsible for ensuring and enforcing compliance with national data protection rule
  3. the international commitments and obligations the third country or international organisation concerned has entered into, in particular in relation to the protection of personal data.

Please visit:


There are two main ways to transfer data to a country that has not been approved as one with adequate level of protection:

Contractual clauses

To help controllers, the European Commission has provided for standard contractual clauses that are automatically considered as sufficient safeguards in light of the applicable data protection rules.

Alternatively, the companies can propose their own contractual clauses with sufficient data protection safeguards. These clauses have to be submitted to the Belgian Data Protection Authority according to article 46.3.a) of the GDPR and subsequently these clauses will have to be approved by the European Data Protection Board in accordance with article 46.4 GDPR through the consistency mechanism

Binding Corporate Rules (BCRS)

In Art. 47 (2) of the GDPR are laid out the minimum requirements, which BCRs should specify:

  1. the structure of the group of undertakings/enterprises engaged in the joint activity and the contact details of each member
  2. the full details of the data transfers
  3. the third country or countries in question
  4. their legally binding nature
  5. the application of the GDPR
  6. the rights of data subjects in regard to processing and the means to exercise those rights
  7. the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union, unless they can prove they are not connected with the incident in the first place
  8. the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
  9. the cooperation mechanism with the supervisory authority
  10. the mechanisms for reporting to the competent supervisory authority any legal requirements originating in the third country or countries and which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules
  11. the appropriate data protection training to personnel having permanent or regular access to personal data

Please visit:

exceptions established by law

According to Chapter 3 of the GDPR, there are some exception according to which international data transfers can be made without adequate protection:

  • The data subject has given his unambiguous consent to the proposed transfer
  • The transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject’s request
  • The transfer is necessary for the conclusion or performance of a contract concluded in the data subject’s interests between the data controller and a third party
  • The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims
  • The transfer is necessary to protect the data subject’s vital interests
  • The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in that particular case.

Please visit: The European Data Protection Board’ Guidelines on derogations applicable to international transfers.

Please also visit: