International Data Transfer to Third Countries

All personal data transfers to third countries or international organisations follow the rules set in the GDPR, in Chapter V. Personal data may be transferred to a third country provided that it guarantees an adequate level of protection. In the case of an adequacy decision, data transfers do not require specific authorization, otherwise the controller or processor have to “provide appropriate safeguards” before transferring data to third countries.

Adequacy Decisions

Transfer of personal data to third countries or international organisations can take place after the European Commission has assessed and concluded that the third country or the international organisation has an adequate level of protection of personal data. The rules for adequacy assessment are laid out in Art. 45 (2) of the GDPR. An assessment of the adequacy of the level of protection shall take account of the circumstances affecting a data transfer operation or a category of data transfer operations. Account shall be taken in particular of the type of data, the purpose or purposes and the duration of the planned processing or processing operations, the country of origin and country of final destination, the general and sectoral legal provisions applying in the non-member country concerned, as well as the rules governing the business sector and security rules applying in these countries.

The Commission shall consider:

  1. the rule of law, respect for human rights and fundamental freedoms, relevant legislation, data protection rules, professional rules and security measures, case law,
  2. the existence and effective functioning of one or more independent supervisory authorities responsible for ensuring and enforcing compliance with national data protection rule
  3. the international commitments and obligations the third country or international organisation concerned has entered into, in particular in relation to the protection of personal data.

Please visit: https://gdpr-info.eu/art-45-gdpr/

 

Contractual clauses

To help controllers, the European Commission has provided for standard contractual clauses that are automatically considered as sufficient safeguards in light of the applicable data protection rules.

Alternatively, the companies can propose their own contractual clauses with sufficient data protection safeguards. These clauses have to be submitted to the Dutch Data Protection Authority according to Art. 46.3.a) of the GDPR and subsequently these clauses will have to be approved by the European Data Protection Board in accordance with Art. 46.4 of the GDPR through the consistency mechanism.

Binding corporate rules

In Art. 47.2 of the GDPR are laid out the minimum requirements, which BCRs should specify:

  1. the structure of the group of undertakings/enterprises engaged in the joint activity and the contact details of each member
  2. the full details of the data transfers
  3. the third country or countries in question
  4. their legally binding nature
  5. the application of the GDPR
  6. the rights of data subjects in regard to processing and the means to exercise those rights
  7. the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union, unless they can prove they are not connected with the incident in the first place
  8. the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
  9. the cooperation mechanism with the supervisory authority
  10. the mechanisms for reporting to the competent supervisory authority any legal requirements originating in the third country or countries and which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules
  11. the appropriate data protection training to personnel having permanent or regular access to personal data

Please visit: https://gdpr-info.eu/art-47-gdpr/

The Binding Corporate Rules (BCRs) are recognised in The Netherlands. BCRs have been approved for ABN AMRO Bank N.V., ADP (controller and processor), Akzo Nobel N.V. (controller), Align Technologies B.V. (controller and processor), Arcadis (controller), BakerCorp International Holdings Inc. (controller), CISCO, D.E. Master Blenders 1753 ex Sara Lee International B.V., Koninklijke DSM N.V. and affiliated companies, ING Bank N.V., LeasePlan Corporation N.V. (controller), NetApp Inc. (controller), Nutreco N.V. (controller), Rabobank Nederland, Royal Philips Electronics, Schlumberger Ltd., Shell International B.V., TNT Express (controller), TMF Group B.V.(controller and processor), Univar (controller) and Vopak (controller).

Exceptions established by law

The transfer of personal data to a non-member country which does not provide guarantees for an adequate level of protection may take place provided that:

  • the data subjects have unambiguously given their consent thereto;
  • the transfer is necessary for the performance of a contract between the data subjects and the responsible parties, or for actions to be carried out at the request of the data subjects and which are necessary for the conclusion of a contract;
  • the transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between responsible parties and third parties in the interests of data subjects;
  • the transfer is necessary on account of an important public interest, or for the establishment, exercise or defence in law of any right;
  • the transfer is necessary to protect a vital interest of data subjects, or
  • the transfer is carried out from a public register set up by law or from a register which can be consulted by anyone or by any persons who can invoke a legitimate interest, provided that in the case concerned the legal requirements for consultation are met.

Exceptionally, the Minister of Justice, after consulting the Data Protection Authority, may issue a permit for a personal data transfer or category of transfers to a non-member country that does not provide guarantees for an adequate level of protection.

The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018).