GDPR

Data Transfer Issues

New requirements for Data processors under the GDPR

Under the Directive, the bottom line is that businesses are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection

Businesses may also transfer personal data to a third country on the basis of a mechanism from which an adequate level of data protection can be adduced (e.g. the standard contractual clauses approved by the EU Commission (“Model Clauses“) or Binding Corporate Rules (“BCR“) or if one of the derogations under the Directive applies.

As per Article 46 of GDPR

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

• The nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
• a legally binding and enforceable instrument between public authorities or bodies;
• binding corporate rules in accordance with Article 47;
• Any relevant previous infringements by the controller or processor;
• standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
• standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
• an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
• an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

• contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
• provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.