International transfers
What are international transfers?
As the controller for the processing of personal data, EU institutions, bodies, offices and agencies (EUIs) are accountable for the transfers that they make and that are carried out on their behalf within and outside the European Economic Area (EEA: EU Member States and Iceland, Liechtenstein and Norway). These transfers can only occur if the EUI in question has instructed them or allowed them, or that such transfers are required under EU Law or under Member States' Law.
In their day-to-day activities, EUIs may need to transfer personal data to recipients outside the EU/EEA. These activities may include:
- dealings with foreign public entities (for anti-fraud or competition investigations, for example);
- the outsourcing of services to external providers allowing remote access from a non-EU/EEA country to data stored within the EU/EEA and/or processing data outside the EU/EEA (e.g. cloud computing, web-services);
- when arranging staff work trips to non-EU/EEA countries.
According to Chapter V of Regulation (EU) 2018/1725, transfers of personal data from EUIs to non-EU/EEA countries and international organisations may take place when:
- there is an adequate level of protection of individuals’ (data subjects) fundamental right to data protection in the non EU/EEA country or international organisation to which data is transferred to;
- individuals’ personal data is only transferred to allow tasks within the competence of the EUI to be carried out.
The European Commission carries out adequacy assessments of non-EU/EEA countries and international organisations to determine whether an adequate level of protection of individuals’ data is offered. Several countries have been deemed to ensure an adequate level of protection due to their domestic law or international commitments.
In the absence of an adequacy decision, personal data may still be transferred under specific conditions.
- The EUI or its processor can provide appropriate safeguards, by using transfer tools according to Article 48 of Regulation (EU) 2018/1725, such as standard contractual clauses for transfers, or for transfers from a processor of an EUI to sub-processors by also using transfer tools within the meaning of Article 46 of the GDPR (1). These conditions apply if appropriate safeguards ensure a level of protection essentially equivalent to that guaranteed within the EU, and if individuals are able to enforce their data protection rights and effective legal remedies. In order to ensure such level of protection, the adoption of measures supplementing the appropriate safeguards may be required (2).
- The EUI wishing to transfer data outside the EU/EEA can - in limited and specific cases - refer to one of the derogations listed in Regulation (EU) 2018/1725, providing that no other transfer tool can be used. Examples of derogations include, an individual giving their consent for their personal data to be transferred, if a transfer is necessary for the conclusion or performance of a contract, or is necessary for important reasons of public interest, or for exercising defence in legal proceedings.
(1) According to Article 48 of Regulation (EU) 2018/1725, appropriate safeguards can be provided without any specific authorisation from the European Data Protection Supervisor (EDPS) based on:
- legally binding and enforceable instruments with public authorities or international organisations;
- standard contractual clauses for transfers under Regulation (EU) 2018/1725 adopted by the Commission or those adopted by the EDPS;
- binding corporate rules, codes of conduct or certification mechanisms pursuant to the GDPR;
with the EDPS’ authorisation based on:
- ad hoc contractual clauses with non-EU/EEA private entities;
- administrative arrangements with public authorities or international organisations; or
- if the EDPS authorised the transfer under Article 9(7) of Regulation (EC) No 45/2001.
(2) Judgment of the European Court of Justice of 16 July 2020 in Case C-311/18 (Schrems II)
What are the main data protection issues?
Transferring personal data beyond the reach of EU data protection law may create additional risks for individuals, because there may be a lower level of protection in the non-EU/EEA country or international organisation of destination. This may have an impact on individuals’ ability to exercise their data protection rights, in particular to protect themselves from unlawful use or disclosure of their personal data for example.
Under Article 46 of Regulation (EU) 2018/1725, an essentially equivalent level of protection of personal data must be ensured when transfers of personal data from EUIs to non EU/EEA countries or international organisations occur and if any other subsequent transfer occurs. Transfers of personal data must comply with all provisions of Regulation (EU) 2018/1725 and respect the fundamental rights and freedoms enshrined in the EU Charter of Fundamental Rights. In particular, they must comply with the principles under Articles 4 and 5 of Regulation (EU) 2018/1725 and Article 10 if the processing involves special categories of data.
To ensure this, a two-step process should be followed:
- a valid legal basis must underpin the data processing and all relevant provisions of Regulation (EU) 2018/1725 must be respected;
- the provisions of Chapter V of Regulation (EU) 2018/1725 must be upheld.
Lawfulness - The collection, storage and use (processing) of personal data by any organisation must be compliant with data protection legislation. Furthermore, any transfer of data must also have a proper legal basis (for EU institutions and bodies, this is Regulation (EU) 2018/1725) and be consistent with the original purpose of the processing.
Data quality - Organisations wishing to transfer data outside the EEA (to a non-EU/EEA country or an international organisation) must respect the principles of purpose limitation (i.e. data should be transferred for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the transfer), data minimisation, and ensure the accuracy of the data transferred, and time limits for retaining the data.
Right of information - Individuals must be informed about their rights and for what purposes their information is processed both before the transfer (i.e. when data is first collected) and when the transfer takes place.
Rights of access and rectification - Individuals have a right to access the personal data being processed about them and to rectify any inaccurate or incomplete information. Individuals also have other rights as data subjects (right to restriction of processing, right to notification of recipients regarding rectification or erasure of personal data or restriction of processing, right to data portability, as well as rights to object and not to be subject to automated individual decision-making, including profiling). Exceptions may apply, for example in the context of investigations into criminal offences. Deferral of information should be decided on a case-by-case basis and the reasons for any restriction should be documented. Individuals must also be informed on how they may exercise their rights.
Processing of special categories of personal data - Processing of special categories of data, such as data relating to health or revealing racial or ethnic origins is, in principle, prohibited under data protection laws, except in specific circumstances. For example, it is possible to process sensitive data if the processing is necessary for the purpose of a medical diagnosis, or with specific safeguards for employment purposes.
Safeguards for transferring personal data to non-adequate countries and international organisations
EUIs must choose the appropriate transfer tools to meet the requirements set out in Regulation (EU) 2018/1725. Appropriate safeguards are data protection guarantees specifically for transfers of personal data to a recipient in a non-EU/EEA country or international organisation that does not have an adequate level of data protection. The safeguards of the chosen transfer tool must be outlined in a contract, or a Memorandum of Understanding for example, between the transferring and recipient parties. The transfer tool must include practical requirements on how the transfer will take place and include the safeguards and measures to protect individuals’ personal data.
The transfer tool used should clearly describe the key concepts used in the transfer tool, data protection principles, safeguards and measures that have to be respected for the transfer to the recipient in a non-EU/EEA country or international organisation to occur. In particular:
- data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer;
- data quality and proportionality;
- information of individuals concerned;
- security measures;
- possibility for the individuals involved to exercise their rights of access, rectification and opposition and other rights, including seeking legal remedies;
- restrictions on onward transfers by the recipient concerned;
- effective supervision and enforcement mechanisms to ensure that the above-mentioned principles are respected.
Furthermore, a description of the details of the transfer must also be provided, such as:
- a list of entities that will have access to the transferred data;
- the types of personal data;
- the categories of individuals;
- the purpose(s) for which that personal data is transferred and processed;
- retention periods;
- detailed technical, organisational and security measures;
- information to be provided to the individuals (data subjects) concerned and how individuals can exercise their rights.
Where it is necessary to supplement the safeguards contained in the used transfer tool to ensure the required essentially equivalent level of protection as in the EU, that transfer tool must also include any contractual supplementary measures and commitments to implement specific technical and organisational supplementary measures.
More Information
The following non-exhaustive list is a selection of documents for further reading:
EDPS documents:
- EDPS position paper on transfers with authorisation decisions and relevant consultations
- EDPS Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ Ruling
Other:
- EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
- EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
- EDPB Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
- EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
- Webpage of the Commission (DG JUST) on transfers:
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en