European Data Protection Supervisor
European Data Protection Supervisor

International transfers

International transfers

What you should know about international transfers

In their daily activities, EU institutions and bodies may need to transfer personal data to recipients outside the European Union; these activities can include dealings with foreign public entities (for anti-fraud or competition investigations, for example), the outsourcing of services to external providers located outside the EU and/or processing the data outside the EU (e.g. cloud computing, web-services), or when arranging staff work trips to non-EU countries.

Transfers of personal data (or personal information) from institutions and bodies of the European Union (EU) to countries that are not members of the European Economic Area (EEA), i.e EU Member States plus Norway, Iceland and Lichtenstein are regulated under Article 9 of the Regulation (EC) n° 45/2001 (Regulation 45/2001), which is similar in many respects to the data protection Directive (EC) 95/46 (the Directive) (1).
According to Regulation 45/2001, international transfers may take place when there is an adequate level of protection to the fundamental right of individuals (data subjects) to data protection. Adequacy assessments may be carried out by those wishing to transfer data outside the EEA themselves, or by the European Commission. The Commission has determined that several countries ensure an adequate level of protection by reason of their domestic law or of the international commitments they have entered into. Transfers to US organisations that signed up to the Safe Harbor scheme were considered adequate pursuant to the European Commission Decision 2000/520/EC of 20 July 2000; however this adequacy decision was invalidated by the Court of Justice of the EU on 6 October 2015 (2) and as a result transfers to the U.S. can no longer take place on that basis. On 2 February 2016, the European Commission and the United States agreed on a new framework for transatlantic data transfers: "the EU-U.S. Privacy Shield", replacing the Safe Harbor scheme, which should lead to the adoption of a new adequacy decision by the European Commission for transfers to U.S. organisations subscribing to the Privacy Shield. The European Commission officially adopted the adequacy Decision on 12 July 2016.

In the absence of an adequacy decision, personal data may still be transferred by an EU institution to a non-EEA country under certain conditions:

  • if the organisation wishing to transfer data outside the EEA can provide additional safeguards, for example by adopting the Commission's standard contractual clauses, or other binding safeguards authorised by the European Data Protection Supervisor (EDPS); (3)
  • the organisation wishing to transfer data outside the EEA can refer to one of the derogations listed in the Regulation provided that the transfer is not repeated, massive or structural, and no other legal framework can be used. Examples of derogations include, an individual giving her consent for her data to be transferred; if a transfer is necessary for the conclusion or performance of a contract; or for exercising defence in legal proceedings.

(1) Regulation 2016/0679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, will replace Directive (EC) 95/46 as from May 2018. Regulation 45/2001 will be revised along the same lines and the new text should be applicable at the same time as Regulation 2016/0679.

(2) Judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 (Schrems).

(3) Amongst other additional safeguards, we also note that Binding Corporate Rules (BCRs) is a mechanism for transfer that has been developed by national DPAs, which can be relied upon by private organisations in the context of their exchanges of personal data between entities that are part of the same organisation. It is a sort of internal code of conduct to which entities of a same organisation may subscribe. BCRs are not e mechanism that can be entered into by public entities, such as the EU institutions and bodies, for their own transfers and the EDPS therefore cannot authorise them. However, EU institutions and bodies may validly choose a private service provider that has entered into BCRs for safeguarding transfers within its group of entities.


What are the main data protection issues?

Lawfulness - The collection, storage and use (processing) of personal information by any organisation must be compliant with data protection legislation (the Regulation or the Directive). Furthermore, any transfer of such data must also have a proper legal basis (for EU institutions, this is the Regulation) and be consistent with the original purpose of the processing.

Data quality - Organisations wishing to transfer data outside the EEA must respect the principles of purpose limitation (i.e. data should be transferred for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the transfer), data minimisation and ensure the accuracy of the data transferred and time limits for retaining the data.

Right of information - Individuals (data subjects) must be informed about their rights and for what purposes their information is processed both before the transfer (i.e. when data is first collected) and when the transfer takes place.

Rights of access and rectification - Individuals have a right to access the personal information being processed about them and to rectify any inaccurate or incomplete information. Exceptions may apply, for example, investigations into criminal offences. Deferral of information should be decided on a case by case basis and the reasons for any restriction should be documented. Individuals must also be informed on how they may exercise their rights.

Processing of sensitive data - Processing of special categories of data, such as data relating to health or revealing racial or ethnic origin, is in principle prohibited under data protection laws, except in specific circumstances. For example, it is possible to process sensitive data if the processing is necessary for the purpose of a medical diagnosis, or with specific safeguards for employment purposes.


Safeguards for transferring personal data to non-adequate countries

Adequate safeguards are data protection guarantees specifically for transfers of personal data to a recipient in a non-EEA country that is not deemed adequate. The safeguards must be outlined in a legally binding instrument, such as a contract or a Memorandum of Understanding, between the transferring and recipient parties. They should clearly describe the data protection principles that have to be respected, in particular

  • data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer;
  • data quality and proportionality;
  • information of individuals concerned;
  • security measures;
  • possibility for the individuals involved to exercise their rights of access, rectification and opposition,
  • restrictions on onward transfers by the data recipient;
  • effective supervision and enforcement mechanisms to ensure that the above-mentioned principles are respected.

Furthermore, a description of the details of the transfer, such as the categories of data, purposes, retention periods, detailed security measures, information to be provided to the individuals (data subjects) concerned and how they can exercise their rights must also be provided.


More information

The following non-exhaustive list is a selection of documents for further reading:

EDPS documents:

Other:

On Safe Harbor and EU-U.S. Privacy Shield:

 
Decision tree
 

Step 1

/file/step1png_enstep1.png

Step 1

 

Step 2

/file/step2png_enstep2.png

Step 2