Chapter 5 of GDPR defines the obligations to controllers and processors in case they transfer the data to countries outside European Economic Area or to an International organization. The rationale behind these obligations are that the data of European individuals should get the same protection as of GDPR even when data is transferred outside of Europe.
You must have heard of Schrems II and the decision to invalidate privacy shield as the mechanism to transfer data from Europe to USA. This puts a lot of extra compliance burden on organizations in Europe and USA companies but is based on the principle of data protection.
Article 44 or Transfer requirements:
Article 44 of GDPR states that controllers or processors transferring data to international organizations or countries outside European Economic Area need to have a mechanism listed in Chapter 5. We will go through the list of these transfer mechanisms;
- Adequacy Decision(Article 45)
- Appropriate Safeguards(Article 46)
- Binding Corporate Rules(Article 47)
- Derogations(Article 49)
Adequacy Decision(Article 45)
Under GDPR, European Data Protection Board(EDPB) can give adequacy status to certain countries where they feel that data protection standards are the same as required under GDPR law. Countries who have a adequacy status as of now are:
- United Kingdom(as part of Brexit)
- New Zealand
The full list of countries with adequacy decision can be found at EDPB’s website .
Appropriate Safeguards(Article 46)
In case the country where transfer is happening does not have an adequacy decision, the controller or processor has to provide appropriate safeguards with legal remedies available to the data subjects for enforcing rights of data subjects and data protection. Generally these appropriate safeguards are carried by signing a contract between the data exporter(company transferring the data) and data importer(company in non EEA country importing the data). The available options are:
- Standard Contractual Clauses
- Binding Corporate Rules
- Code of conduct & Certification Mechanism
Types of Standard contractual clauses:
Post Schrems ii, standard contractual clauses or SCCs are the most popular transfer mechanism used by companies for international transfer of data. For you to sign the right SCCs you should first determine what role is the data importer playing, following options are possible:
- Data Importer as Processor: Example is SaaS companies getting data in USA like Hubspot. Sign a Controller to Processor SCC
- Data Importer as Joint Controller: Example is an your group company which is processing data and is a joint controller. Sign a Controller to Controller SCC
- Data Importer as a Sub-Processor: SaaS company transferring data to their sub-processors in USA. Sign a Processor to Processor SCC
Binding Corporate Rules(Article 47)
For multinational companies, transferring data between group companies they can rely on Binding corporate rules which ensures appropriate safeguards. They have to be approved by the regulatory authorities to be valid.
The Binding Corporate Rules (BCR) ensure that the data transfers within the corporate groups are complying with the GDPR.
The following are the benefits of BCR for corporates:
- Less administrative hassles during cross-border transfers.
- Provides competitive edge as BCR poses as a seal of benefit.
- Proof that the corporates have a harmonized data practice in place.
- An adherence to data protection principles, including trained personnel.
The following information is essential to be present in BCRs-
- Structure of the group of enterprises sharing joint economic activities and their members.
- Contact details of the concerned group and of each member.
- Details on the data transfers or sets: which personal data, what processing purpose, what types of processing, what type of concerned data subjects, which countries etc.
- Legally binding nature, which will cover both internal and external matters.
- Application of the general data processing principles and the general data protection principles.
- Data subject rights, ways to exercise those rights, right to lodge a complaint and so on.
- Liability of controller or processor in the EU with regards to breaches of the BCRs by any member outside the EU (except if proven not responsible).
- Provision of information on the BCRs towards data subjects, in accordance with duty and right of information of the GDPR.
- The tasks of any DPO or other entity charged with compliance monitoring.
- Complaint procedures and handling.
- Data protection audits and methods of correction to protect data subject rights.
- Various obligations towards the supervisory authority.
- The proper data protection training for staff with regular or permanent access to personal data.
It should also be kept in mind that the requirements for controllers and processors are different under BCR.
Controller BCRs are suitable for data transfers from controllers established in the EU to other group company controllers or to processors established outside the EU. They apply to entities within the same group acting as controllers and to entities acting as ‘internal’ processors.
Whereas, Processor BCRs apply to personal data received from a controller established in the EU which is not a member of the group and then processed by group members as processors or sub-processors. These type of BCRs are an alternative to incorporating the EU Commission Standard Contractual Clauses (‘SCCs’) into service agreements with controllers.
If you are transferring data outside Europe, GDPR puts additional obligations on you as a controller or processor. Ensure you know all your data transfers and have appropriate safeguards in place. You can also use our GDPR data mapping product to get a transfer report and an international transfer map to see your obligations.