Transferring personal data to countries outside the EU/EEA or to international organisations can cause additional risks, as in some cases, data protection rules in the recipient's jurisdiction may not exist or may not be up to European standards. For this reason, there are specific rules on such transfers in Chapter V of Regulation (EU) 2018/1725.
The EDPS explained the different possibilities for safeguarding such transfers in a position paper on the transfer of personal data to third countries and international organisations by EU institutions and bodies. While that paper is still about the old Regulation (EC) 45/2001, the general architecture of possible safeguards remains the same. The preferred option is to transfer to recipients in jurisdictions recognised as providing adequate protection. The second-best option is safeguarding such transfers either with standard contractual clauses or basing them on an international agreement including appropriate safeguards. Such transfers do not require a specific authorisation from the EDPS.
Another possible safeguard is to create 'ad hoc' contractual clauses between the exporting European Institution, body, or agency (EUI) and the recipient. A further possibility is to insert provisions into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. Should EUIs wish to use either of those possibilities, they have to obtain an authorisation from the EDPS before (see Articles 48(3) and 58(3) (e) and (f) of Regulation (EU) 2018/1725).
Finally, there are derogations for some specific situations (see Article 50 of Regulation (EU) 2018/1725; the European Data Protection Board has analysed the equivalent rules in Article 49 of the GDPR in its Guidelines 2/2018).
The EUIs cannot rely on Article 48(3) of the Regulation without having consulted and obtained an authorisation from the EDPS. These authorisations are the successor to authorisations under Article 9(7) of the old Regulation (EC) 45/2001. Authorisations granted by the EDPS under that Article of the old Regulation remain valid until amended, replaced or repealed (see Article 48(4) of Regulation (EU) 2018/1725).
The EDPS publishes these decisions. Please find them below.
EDPS Decision of 13 March 2019 concerning the use of the IOSCO-ESMA Administrative Arrangement by the European Securities and Markets Authority.
EDPS Decision pursuant to Article 9(7) of Regulation (EC) No 45/2001 concerning the transfers of personal data carried out by the European Centre for Disease Prevention and Control (ECDC) to the World Health Organization (WHO) (Case 2017-1120)
EDPS Decision pursuant to Article 9(7) of Regulation (EC) No 45/2001 concerning the transfers of personal data carried out by the European Central Bank for its supervisory activities (Case 2016-0308)
EDPS Decision concerning the transfers of personal data carried out by OLAF through the Investigative Data Consultation Platform pursuant to Article 9(7) of Regulation (EC) No 45/2001