GDPR - transfer of personal data outside the territory of the European Union


Start a free 30-day trial period with no strings attached!

The territorial scope of the provisions of the GDPR Regulation is very wide. The GDPR applies to personal data administrators and processors based in the European Union. Factors such as the type of data or the characteristics of the data subjects are irrelevant to the scope of the provisions. If the data controller meets the seat criterion (for example, if the seat of the entrepreneur processing personal data is Poland), then he must apply the provisions of the GDPR, even if he processes the data of natural persons (e.g. clients or contractors) residing in non-EU countries. At the same time, if the data controller plans to transfer personal data held by it outside the territory of the European Union, it must comply with the specific rules provided for by the provisions of the regulation.

Transfer of personal data - the principle of free movement

GDPR introduced the so-called the principle of the free flow of personal data, which applies to the territory of countries belonging to the European Economic Area (European Union countries and Iceland, Norway and Liechtenstein). Other countries are treated as the so-called third countries. As of March 30, 2019, Great Britain is also treated as a third country.

In accordance with the principle of free transfer, the transfer of data between personal data administrators and processors based in the above-mentioned area does not require any additional consents or permits.Data controllers based in the EEA are required to apply the provisions of the GDPR, and therefore personal data should be equally secure.

Adequate degree of protection or adequate safeguards

If the data controller intends to transfer them outside the territory of the European Union, they must ensure the security of the transfer. Pursuant to the provisions of the GDPR, the procedure to be followed depends on the country to which the data is to be transferred:

  • if the European Commission finds that a given country meets an adequate level of protection, the transfer does not require a separate authorization;

  • in other cases, the data controller is - as a rule - obliged to obtain permission to transfer data, unless there are exceptions listed in the regulation.

The provision of art. 45 sec. 1 of the GDPR - the principle of data transfer to third countries
'The transfer of personal data to a third country or an international organization may take place when the Commission finds that that third country, territory or specific sector or specific sectors in that third country or the international organization in question ensures an adequate level of protection. Such transfer does not require special authorization. "

The list of third countries which fulfill the condition of providing personal data with an "adequate level of protection" is published in the Official Journal of the European Union. This means that if the entrepreneur plans to transfer personal data outside the EU (for example, the entrepreneur only acts as an intermediary in the conclusion of the contract for the sale of goods, the execution of the order and shipment of the product occurs directly from a third country and the entrepreneur must provide personal data to execute the order to his contractor located there), Before taking these actions, he should check in the list published by the European Commission whether he can transfer the data without the need to obtain a special authorization. Examples of countries for which the European Commission has issued a decision on ensuring an adequate level of protection (the so-called adequacy decision) are, inter alia, Canada, New Zealand or Israel.

If the data controller plans to transfer it to a third country, it is obliged to inform the data subject of this intention (legal basis: Article 13 (1) (f) of the Regulation). The information obligation rests with the data controller at the time of their collection and does not depend on the country to which they are to be transferred.

Long list of exceptions

The provisions of the GDPR provide that if the European Commission has not issued a decision on the adequate protection of personal data by a third country, the data controller may transfer it if:

  • adequate security measures are provided for the transmitted data;

  • the third country has enforceable personal data protection rights and effective remedies.

Both of the above conditions must be met cumulatively.

Pursuant to the provision of Art. 46 sec. 2 of the GDPR, appropriate safeguards can be ensured, for example, by:

  • the use of the so-called corporate rules;

  • introduction to the contract of appropriate data protection clauses adopted by the European Commission or the supervisory authority (UODO);

  • undergoing the certification process and obtaining a certificate confirming the compliance of the operations performed by the data controller with the applicable GDPR procedures.

Corporate rules are documents specifying the data and type of entrepreneurs providing personal data, types of processing and purposes of processing, groups of persons whose data will be processed, general data protection rules, assumption by administrators of legal responsibility for the processed data and their security, information obligations of administrators, procedure regarding complaints, mechanisms of cooperation with the supervisory authority.

In the event that the European Commission has not issued an adequacy decision, and the data controller is not able to ensure an adequate level of security using the methods indicated above, the transfer of data to a third country is still permissible if one of the conditions set out in Art. 49 of the Regulation:

Start a free 30-day trial period with no strings attached!

  • the data subject has expressly consented to their disclosure, and prior to granting it, was informed about the possible risks which - due to the lack of an adequacy decision and the lack of appropriate safeguards - may be associated with the proposed transmission;

  • the transfer of data is necessary for the performance of a contract concluded between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

  • the transfer is necessary for important reasons of public interest (public interest is understood as an interest recognized in EU law or in the law of the Member State in which the data controller is based);

  • the transfer is necessary to establish, pursue or protect claims;

  • the transfer is necessary to protect the vital interests of the data subject or of other persons, if the data subject is physically or legally incapable of giving consent;

  • the transfer takes place from a register which, pursuant to Union law or the law of a Member State, is to serve as a source of information for the general public and which is accessible to the general public or to any person who can demonstrate a legitimate interest (only to the extent that, in a given case, the conditions for such access laid down in Union law or the law of a Member State).

Important! The consent of a natural person to transfer data to a third country must be clearly expressed, after informing about the possible risks related to the transfer procedure and the lack of adequate data security.

If none of the conditions described above are met, the data controller may transfer them to a third country only if the data is transferred once (not repeated), applies to a limited group of people, is necessary due to an important legitimate interest, and the data controller in made its own assessment of all circumstances in which the transfer of personal data takes place and provided appropriate security measures. In such a situation, the data controller is obliged to inform both the supervisory authority (in Poland it is the Personal Data Protection Office) and the data subject.