Data transfers outside the EU with a service provider or partner. Do I have the right?

The European Commission has put in place various rules to guarantee a high level of protection for data transfers outside the EU.

The General Data Protection RegulationGDPR) came into force in May 2018. Under this regulation, data transfers outside the EU are only permitted if certain conditions are met.

Articles 44 et seq. of the GDPR provide a framework for the transfer of personal data from the EU to a third country that may be carried out in the course of a company's activity

e.g using a service provider located in the United States).

However, these rules only apply if the data transfer is from the EU to a third country such as Canada. These rules do not apply if the data is transferred from a third country such as the USA to the EU.

In principle, you could say that any transfer to a third country is prohibited! But there are exceptions.

Data transfers outside the EU - Rules to comply with

However, there are 3 main exceptions to this prohibition. You may transfer personal data outside the European Union (EU) with a service provider or partner, but it is necessary to ensure that the data transferred is protected at an adequate level.

The European Commission has adopted various rules to guarantee a high level of protection for transfers of personal data to third countries. These rules are :

1/ Matching decisions :

A Data recipient country that has received an adequacy decision from the European Commission is considered to offer an adequate or equivalent level of protection to the EU. In this case, you can transfer data without constraint, as if this country were a member of the EUe.g Canada).

The full list of countries subject to a suitability decision is available here.

2/ Standard contractual clauses (SCC) :

If the Data recipient country has not been the subject of an adequacy decision, and you are an individual or non-international company, you can use standard contractual clauses, drawn up by the European Commission, to govern data transferred between two entities. Standard contractual clauses are often incorporated into the data processing agreements of your partners and technical service providers.

The model contractual clauses are available here.

3/ Codes of conduct and binding corporate rules (BCR) :

On the other hand, if the Data recipient country has not been the subject of an adequacy decision, and you are an international company with numerous subsidiaries located in third countries, then you can conclude binding corporate rules (BCR) to govern transfers outside the EU.

These are mechanisms that enable companies to commit to high standards of personal data protection when transferring data to third countries.

BCRs require compliance with an approval procedure with the supervisory authorities, which can take up to 12 months!

Data controllers and processors of personal data must also put in place measures to ensure compliance with these rules. The Court of Justice of the European Union has also clarified the criteria for determining whether third countries, such as the USA, guarantee a sufficient level of protection for transferred data.

Consult a Data Protection Officer (DPO)

If none of these conditions can be met, it is necessary to obtain the explicit consent of data subjects for the transfer of their personal data outside the EU. Consult a Data Protection Officer (DPO) to ensure that you comply with legal requirements regarding the transfer of personal data.

Dipeeo's legal team checks data transfers outside the EU when auditing your technical service providers, in particular by verifying whether the contract is based on standard contractual clauses currently in force.