International transfers

What are international transfers?

As controllers for the processing of personal data, EU institutions, bodies, offices and agencies (EUIs) are accountable for the transfers of personal data that they make and that are carried out on their behalf within and outside the European Economic Area (EEA: EU Member States and Iceland, Liechtenstein and Norway). These transfers can only occur if the EUI in question has instructed them or allowed them, or if such transfers are required under Union law or under EU Member States' Law.

Transferring personal data beyond the EEA may create additional risks for individuals, because there might be a lower level of protection in the non-EU/EEA country or international organisation of destination. This may have a negative impact on the individuals’ ability to exercise their data protection rights, in particular to protect themselves from unlawful use or disclosure of their personal data.

According to Regulation (EU) 2018/1725, transfers of personal data from EUIs to non-EU/EEA countries and international organisations may only take place when the conditions laid down in Chapter V are complied with by the controller and processor, including for onward transfers, in order to ensure that the level of protection guaranteed by the Regulation is not undermined.

Definition of a transfer: Regulation (EU) 2018/1725 does not provide a definition of international transfers. However, the European Data Protection Board (EDPB) has identified three cumulative criteria to identify an international transfer that EUIs can use, as follows:

The controller or processor involved in the transfer is subject to EU data protection law for the given processing;
The controller or processor makes personal data available to another data controller or processor by means of disclosure or transmission;
This other data controller or processor is in a country outside the EEA or is an international organisation.

In practical terms, when it comes to the second condition, a transfer of personal data entails the communication, transmission, disclosure or otherwise making available personal data to a third party, conducted with the knowledge or intention of the sender that the recipient(s) have access to it. It includes "deliberate transfer" of personal data and "permitted access" to personal data, but excludes cases of access happened in the context of illegal actions (e.g. hacking).

When an EUI transfers data outside the EU/EEA, it is a data exporter and the recipient is the data importer. Transfers are processing operations and so must comply with EU data protection law.

The remote access from a third country to personal data qualifies as a transfer; this implies that no storage of data in that third country is required. However, in the EDPS opinion, the mere risk (e.g. national legislation allowing authorities to access the data under certain conditions) that remote access by third country entities to data processed in the EEA may take place, does not yet constitute a transfer subject to Chapter V of the Regulation.

Onward transfers are subsequent transfers of personal data from controllers, processors or other recipients in the third country or international organisation to other controllers, processors or recipients in another third country or international organisation or in the same third country or international organisation. When it comes to international transfers between public authorities, this second type of onward transfers is usually called onward sharing of personal data.

It is the responsibility of the controller of the original transfer to ensure that any onward transfers ensure the same level of protection as the original transfer.

General principles

Transfers of personal data must comply with the provisions laid down in Chapter V of the Regulation (EU) 2018/1725, while also subject to the other provisions of the Regulation and be consistent with the original purpose of the processing. In particular, they must comply with the principles enshrined under Articles 4 and 5, as well as Article 10 of Regulation (EU) 2018/1725 if the processing involves special categories of data.

To ensure this, a two-step process must be followed:

First, a valid legal basis must underpin the data processing and all relevant obligations under Regulation (EU) 2018/1725 must be respected;
Second, the provisions of Chapter V must be complied with.

In other words: EUIs wishing to transfer data outside the EEA must ensure that the transfer respects the principles of fairness, lawfulness, purpose limitation (i.e. data should be transferred for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the transfer), data minimisation, data accuracy and data retention.

Individuals must be informed about their rights and for what purposes their information is processed both before the transfer (i.e. when data is first collected) and when the transfer takes place.
Exceptions may apply, for example in the context of investigations into criminal offences. Deferral of information should be decided on a case-by-case basis and the reasons for any restriction should be documented.
Individuals must also be informed on how they may exercise their rights.

Obligations of the controllers

According to the principle of accountability, controllers shall ensure, verify and demonstrate that any processing they undertake, or that is done on their behalf, is performed in compliance with the Regulation, including the provisions on transfers of personal data.

EUIs shall remain in control and take informed decisions when they select processors and allow transfers of personal data outside the EEA.

EUIs must carefully assess the necessity and proportionality of their envisaged transfers, including also an assessment of the level of protection in the third country of destination, to justify the implied interference with individuals’ fundamental rights to private life and data protection.

EUIs should follow the EDPB guidelines and recommendations on transfers in addition to the EDPS ones. Whenever the provisions of the EUDPR follow the same principles as the provisions of the GDPR, the two sets of provisions should, under the case law of CJEU, be interpreted homogenously, in particular because the scheme of Regulation (EU) 2015/1725 should be understood as equivalent to the scheme of GDPR (as applicable to public authorities of Member States). References to provisions of GDPR made in the EDPB guidelines and recommendations should be read as references made to corresponding provisions of EUDPR.

Transfer impact assessment (TIA)

EUIs, as data controllers, are responsible and accountable for complying with Regulation (EU) 2018/1725 as interpreted by the CJEU through its case law. Before a transfer takes place, the EUI must determine whether, in the context of the specific transfer, the third country of destination affords the transferred data an essentially equivalent level of protection to that in the EU/EEA. The best way to do this is to carry out a Transfer Impact Assessment (TIA).

The Data Protection Officers of EUIs can provide advice (e.g. on the assessment of the level of protection or on suitability of identified supplementary measures), but the DPO is not responsible to carry out TIAs on behalf of or instead other controllers within their EUI.

While conducting the TIAs, EUIs should refer to the EDPB Recommendations 01/2020 on supplementary measures, and, as regards the assessment of access by public authorities for surveillance purposes, to the EDPB Recommendations 02/2020 on European Essential Guarantees, both adopted by the European Data Protection Board.

EUIs also should take into account the EDPB Guidelines on legally binding instruments and administrative arrangements for transfers between EEA public authorities to third country public authorities and to international organisations.

The TIA must cover any transfers that are occurring or are envisaged under the EUI’s contract or under other organised relationship with the recipients in the third countries. The EUI cannot leave the responsibility for the TIA to its processor or recipient (data importer) in a third country.

The TIA should take into consideration the specific circumstances of the transfer (e.g. types of transferred data, purposes for which they are transferred and processed in the third country and how) and all the actors participating in the transfer, as identified in the transfer-mapping exercise. It should also take into account any onward transfers that are envisaged. This means that the EUI must obtain all the necessary information from its processor or recipient in the third country.

The EUI must assess whether any laws or practices of the third country, applicable to the transferred data and/or the data importer, interfere with the data importer’s ability to comply with its commitments made in the transfer tool, taking into account the circumstances surrounding the transfer.

If the EUI has identified that supplementary measures are needed, it must implement them before carrying out the transfer.

Transfers mechanisms under Chapter V of Regulation (EU) 2018/1725

Chapter V of Regulation (EU) 2018/1725 provides for specific mechanisms and conditions for transfers of personal data from EU institutions to a third country or an international organisation. These mechanisms and conditions aim to ensure that the level of protection of natural persons guaranteed by the EU data protection legislation is not undermined when their personal data is transferred outside the EU.

The Regulation transfers toolbox includes three types of tools:

adequacy decisions,
instruments providing appropriate safeguards
derogations for specific situations, such as for important reasons of public interest.

No transfer can proceed without being based on one of the transfer tools defined in the Regulation.

Transfers based on adequacy decisions

Personal data may be transferred to third countries or international organisations based on an adequacy decision of the Commission and where the personal data are transferred solely to allow tasks within the competence of the controller (i.e. the EUI) to be carried out.

A transfer based on an adequacy decision does not need any authorisation by the EDPS.

The transferring EUI and the data importer both have to implement measures to comply with the other obligations under Regulation (EU) 2018/1725.

It is a special requirement of Regulation (EU) 2018/1725 that EUI must limit the transfers of data outside of the EU/EEA to tasks within the competence of the EUI.

The European Commission carries out adequacy assessments of non-EU/EEA countries and international organisations to determine whether an adequate level of protection of individuals’ data is offered.

Several countries have been deemed to ensure an adequate level of protection:

Andorra,
Argentina,
Canada (limited to commercial organisations),
Faroe Islands,
Guernsey,
Israel,
Isle of Man,
Japan,
Jersey,
New Zealand,
Republic of Korea,
Switzerland,
United Kingdom (under the GDPR and the LED),
United States of America (commercial organisations participating in the EU-US Data Privacy Framework),
Uruguay.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector, which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The European Commission publishes the list of its adequacy decisions on its website, as well as the latest news on adequacy issues. More generally, it provides regular information on the international dimension of data protection that can be of interest for EUIs when considering international transfers.

EUIs are responsible for monitoring whether adequacy decisions relevant and applicable to their transfers are still in force and not in the process of being revoked or invalidated. They may use for that purpose the information provided by the European Commission.

EUIs must also inform the Commission and the EDPS of cases where they consider that a third country or an international organisation does not ensure an adequate level of protection.

Adequacy decisions do not prevent individuals from filing a complaint. Neither do they prevent the EDPS from exercising their powers under Regulation (EU) 2018/1725.

Transfers based on appropriate safeguards

In the absence of an adequacy decision, personal data may still be transferred if appropriate safeguards are provided and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Such safeguards may be provided in standard data protection clauses (so-called standard contractual clauses, "SCCs") or another transfer tool pursuant to Article 48 EUDPR or, for transfers from a non-EUI processor to sub-processors, in accordance with Article 46 GDPR.

The aim of the tools listed under Article 48 EUDPR or Article 46 GDPR is to ensure an adequate (essentially equivalent) level of protection in the context of a specific transfer as opposed to an adequacy decision, which is valid for any transfer to that country. In order to ensure such level of protection, the adoption of measures supplementing the appropriate safeguards may be required. In light of the level of protection guaranteed by Articles 4, 5, 6, 9 and 46 of Regulation (EU) 2018/1725, also a transfer to a non-adequate third country may take place only where the personal data is transferred solely to allow tasks within the EUI’s competence to be carried out.

According to Article 48 of Regulation (EU) 2018/1725, appropriate safeguards can be provided without any specific authorisation from the European Data Protection Supervisor (EDPS) based on:

legally binding and enforceable instruments with public authorities or international organisations. The EDPB has issued Guidelines on legally binding and enforceable instruments and administrative arrangements under the GDPR, which set a list of minimum safeguards to be included in such tools. These guidelines apply mutatis mutandis to the EU institutions. Pursuant to Article 42 of the Regulation, the EDPS is consulted on such international agreements, but does not need to issue an authorisation;
standard data protection clauses for transfers under Regulation (EU) 2018/1725 adopted by the Commission or those adopted by the EDPS; or
where the processor is not a Union institution or body, binding corporate rules ("BCRs"), codes of conduct or certification mechanisms pursuant to points (b), (e) and (f) of Article 46(2) of GDPR. All the three instruments must provide binding and enforceable commitments, including with regard to data subject rights.

Appropriate safeguards may also be provided, but subject to the authorisation from the EDPS by:

ad hoc contractual clauses with non-EU/EEA private entities between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation. Such "ad hoc contractual clauses” must contain binding commitments and obligations and enforceable rights for the EUI and data subjects; or
non-binding administrative arrangements with public authorities or international organisations ensuring enforceable data subject rights. The EDPB issued Guidelines on legally binding and enforceable instruments and administrative arrangements under the GDPR, which set a list of minimum safeguards to be included in such tools. These guidelines apply mutatis mutandis to the EU institutions; or
transfers previously authorised under Article 9(7) of Regulation (EC) No 45/2001.

The EDPS publishes the decisions authorising the use of contractual clauses or administrative arrangements by EUIs.

Transfers based on derogations for specific situations

Regulation (EU) 2018/1725 provides that in the absence of an adequacy decision, or of appropriate safeguards pursuant to Article 48 of this Regulation, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only where specific conditions are met.

Derogations under Article 50 of Regulation (EU) 2018/1725 are exemptions from the general principle that personal data may only be transferred to third countries or international organisations if an adequate level of protection is provided for in the third country or international organisation or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights.

Considering that Article 50 of the Regulation (EU) 2018/1725 must be interpreted in accordance with the Charter, derogations can apply only insofar as is strictly necessary and must be narrowly construed.

Derogations must also be interpreted restrictively so that the exception does not become a rule. This is also supported by the wording of the title of Article 50, which states that derogations are to be used for specific situations.

When considering transferring personal data to third countries or international organizations, data exporters should therefore favour solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards to which they are entitled as regards processing of their data once this data has been transferred.

Thus, EUIs wishing to transfer data outside the EU/EEA can - in limited and specific cases - refer to one of the derogations listed in Regulation (EU) 2018/1725, provided that no other transfer tool can be used.

Examples of derogations include, an individual giving their explicit consent for their personal data to be transferred, if a transfer is necessary for the conclusion or performance of a contract, or is necessary for important reasons of public interest as recognized by EU law, or for exercising defence in legal proceedings. See for example the EDPS supervisory Opinion on transfers based on consent: EDPS Supervisory Opinion on the use of explicit consent on transfers (27 July 2021).
Another example is derogation under Article 50(1)(d) of Regulation (EU) 2018/1725, namely, ‘when the transfer is necessary for important reasons of public interest’. This derogation requires that the transfer of personal data is necessary for important reasons of public interest recognised in Union law.

In the first place, the data exporter must identify and document the existence of such ‘public interest’. Examples of public interest may include management and functioning of the EUIs, or public security or health.

The identified public interest must be explicitly ‘recognised’ in ‘Union law’, which encompasses EU primary laws, general principles of EU law, international agreements recognising a certain objective or providing for international cooperation to foster that objective, EU secondary laws and the case law of the Court of Justice of the EU. It might also encompass internal rules of the EUIs as long as they meet the requirements to be considered ‘Union law’ under Recital 23 of Regulation (EU) 2018/1725.

As any processing operation, such as a transfer, is an interference with the fundamental rights, provisions of Article 50 of Regulation (EU) 2018/1725 must be interpreted in light of the Charter, in particular its Article 52(1). Therefore, in the second place, the data exporter must assess and document whether the planned transfer of personal data respects the essence of the rights and freedoms that the transfer interferes with, and whether the planned transfer is in accordance with the principles of proportionality and necessity.

The necessity and proportionality assessment must be conducted for all derogations under Article 50(1), except consent.

The EDPS recalls that processors should in principle not be relying on Article 49 GDPR derogations to transfer personal data on behalf of EUI, as this is a decision of the EUI as controller to make. Instead, Article 50 Regulation (EU) 2018/1725 should be relied on.

The obligation to inform the EDPS about certain categories of international transfers

In accordance with Article 48(5) and Article 50(6) of Regulation (EU) 2018/1725 respectively, EUIs must inform the EDPS of the categories of cases in which they carry out transfers subject to appropriate safeguards or when they use derogations for specific situations. EUIs already have to keep, as part of their records of processing activities, information on transfers of personal data to third countries and international organisations, including the identification of the recipient and the documentation of suitable safeguards, so they can rely on this obligation to prepare the notification to the EDPS.

EUIs have the flexibility to choose how often they send notifications based on their own evaluation. However, the EDPS expects to receive this information at least once every year.

There is no standard format for these notifications to EDPS yet. However the EDPS recommends to ensure that these notifications contain for each case at least the following information:

The identification of the controller and the record of processing to which the transfer or the set of transfers relates
The third country or international organisation of destination
The transfer tool used, including the specific use case when using derogations for specific situations
The categories of data subject to transfer, including detailed information when special categories of personal data are involved
The number of transfers / number of affected data subjects

In accordance with Article 47(2), EUIs must also inform the Commission and the EDPS of cases where they consider that a third country or an international organisation does not ensure an adequate level of protection.

The EDPS may use the information provided for monitoring and enforcement purposes, as well as to provide guidance. In that regard, the EDPS may contact EUIs on the basis of the notifications received to request further information.

More Information

The following non-exhaustive list is a selection of documents for further reading:

EDPS documents:

EDPS documents on authorisation decisions and relevant consultations on transfers

Other:

International transfers