There are no restrictions on the transfer of personal data to EEA countries as the GDPR applies throughout the EEA.
The EEA countries are as follows:
- Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK
- Iceland, Liechtenstein and Norway
The European Commission has the power to determine, on the basis of GDPR Article 45 whether a country outside the EEA offers an adequate level of data protection.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.
Adequacy talks are ongoing with Japan and South Korea.
Note about the US Privacy Shield framework
It should be noted that the US Privacy Shield framework is a self-certification process that may be used by any US organisation that is subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT). These organisations do not usually have jurisdiction over not-for-profit organisations such as universities and similar. If you wish to use the US Privacy Sheild framework to facilitate data transfers outside of the EEA, you wil need to check with your partner organisation to see if they are certified under this framework.
If the US organisation is not, or is not eligible to be, certified under the US Privacy Shield framework, then adequate safeguards may be put in place in a number of ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) or other contractual arrangements. Where “adequate safeguards” are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA.
Transfers subject to appropriate safeguards
GDPR provides mechanisms for cross-border data transfers in the absence of an adequacy designation if the controller or processor utilizes certain safeguards. These safeguards must ensure that the individual data subject has enforceable rights and that there are effective legal remedies for the individual available following the data transfer.
The appropriate safeguards are:
- a legally binding agreement between public authorities or bodies;
- binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
- standard data protection clauses in the form of template transfer clauses adopted by the Commission;
- standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
- compliance with an approved code of conduct approved by a supervisory authority;
- certification under an approved certification mechanism as provided for in the GDPR;
- contractual clauses agreed authorised by the competent supervisory authority; or
- provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
Transfers that do not have either an adequacy decision nor adequate safeguards
Even where there is no Commission decision authorising transfers to the country in question, if it is not possible to demonstrate that individual’s rights are protected by adequate safeguards and none of the derogations apply, the GDPR provides that personal data may still be transferred outside the EU.
However, such transfers are permitted only where the transfer:
- is not being made by a public authority in the exercise of its public powers;
- is not repetitive (similar transfers are not made on a regular basis);
- involves data related to only a limited number of individuals;
- is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual); and
- is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.
In these cases, organisations are obliged to inform the relevant supervisory authority of the transfer and provide additional information to individuals.
Chapter V (Articles 44 through 49) of the GDPR governs international or cross-border transfers of personal data.
- Article 45 states the conditions for transfers with an adequacy decision
- Article 46 sets forth the conditions for transfers by way of appropriate safeguards in the absence of an adequacy decision
- Article 47 sets the conditions for transfers by way of binding corporate rules
- Article 48 addresses situations in which a foreign tribunal or administrative body has ordered transfer not otherwise permitted by the GDPR; and,
- Article 49 states the conditions for derogations for specific situations in the absence of an adequacy decision or appropriate safeguards.
In addition, the GDPR recitals 101 - 115 are relevant.
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.