International Data Transfer to Third Countries

All personal data transfers to third countries or international organisations follow the rules set in the GDPR, in Chapter V. In the case of an adequacy decision, data transfers do not require specific authorization, otherwise the controller or processor have to “provide appropriate safeguards” before transferring data to third countries.

Adequacy Decisions

Transfer of personal data to third countries or international organisations can take place after the European Commission has assessed and concluded that the third country or the international organisation has an adequate level of protection of personal data. The rules for adequacy assessment are laid out in Art. 45 (2) of the GDPR. The Commission shall consider:

  1. the rule of law, respect for human rights and fundamental freedoms, relevant legislation, data protection rules, professional rules and security measures, case law,
  2. the existence and effective functioning of one or more independent supervisory authorities responsible for ensuring and enforcing compliance with national data protection rule
  3. the international commitments and obligations the third country or international organisation concerned has entered into, in particular in relation to the protection of personal data.

Please visit: https://gdpr-info.eu/art-45-gdpr/

There is a list of third countries considered by the European Commission to be countries that generally, either via legislation or other measures, ensure an adequate level of protection.

 

EU Contractual Clauses

To help controllers, the European Commission has provided for standard contractual clauses that are automatically considered as sufficient safeguards in light of the applicable data protection rules.

When using the Commission’s standard contractual clauses, the controller should begin by determining whether the transfer is to a processor or a controller established in a third country, as separate standard contractual clauses exist for these types of transfers.

Alternatively, the companies can propose their own contractual clauses with sufficient data protection safeguards. These clauses have to be submitted to the National Data Protection Agency according to article 46.3.a) of the GDPR and subsequently these clauses will have to be approved by the European Data Protection Board in accordance with article 46.4 GDPR through the consistency mechanism.

 

Binding Corporate Rules (BCRS)

The GDPR places binding corporate rules on a statutory footing. It will be possible to obtain authorisation from one supervisory authority that will cover transfers from anywhere in the EU.

In Art. 47 (2) of the GDPR are laid out the minimum requirements, which BCRs should specify:

  1. the structure of the group of undertakings/enterprises engaged in the joint activity and the contact details of each member
  2. the full details of the data transfers
  3. the third country or countries in question
  4. their legally binding nature
  5. the application of the GDPR
  6. the rights of data subjects in regard to processing and the means to exercise those rights
  7. the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union, unless they can prove they are not connected with the incident in the first place
  8. the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
  9. the cooperation mechanism with the supervisory authority
  10. the mechanisms for reporting to the competent supervisory authority any legal requirements originating in the third country or countries and which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules
  11. the appropriate data protection training to personnel having permanent or regular access to personal data

Please visit: https://gdpr-info.eu/art-47-gdpr/

Under the current legal framework in Greece, the list of binding corporate rules that have been approved includes AstraZeneca S.A., First Data Hellas S.A. and D. Man S.A..

Controllers need to apply before the DPA to be granted a national authorisation of transfers made under BCR. Greece is not part of the mutual recognition procedure.

 

Exceptions Established by Law

According to Chapter 3 of the GDPR, there are some exception according to which international data transfers can be made without adequate protection:

  • The data subject has given his unambiguous consent to the proposed transfer; or
  • The transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject’s request; or
  • The transfer is necessary for the conclusion or performance of a contract concluded in the data subject’s interests between the data controller and a third party; or
  • The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
  • The transfer is necessary to protect the data subject’s vital interests; or
  • The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in that particular case; or
  • the transfer is necessary for the prevention, investigation and prosecution of criminal offences and the execution of sentences or the protection of persons charged, witnesses or other persons in criminal proceedings; or
  • the transfer is necessary to safeguard public security, the defence of the Realm, or national security.

Please visit: The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018).