Cross-border Transfer of Personal Data
I have bought some of your GDPR templates and I am working through them now. I would like to know a bit more about cross-border transfer of personal data. We have good safeguards in place, but I need to know how this process should ideally be organized. Should we notify a DPA and get approval for the transfer? Is this always required and if so is there a preferred DPA or way to choose a DPA. Agreements that we sign with EU companies generally refer to England and Wales as governing law and this tends to be the preferred location for arbitration.
Assign topic to the user
Cross-border transfer of personal data under GDPR happens when personal data based in the EU are transferred towards third countries (i.e. US, Canada). Those transfers can be based on:
- An adequacy decision by the European Commission. It means that the European Commission analyzed the data protection rules of the third country and estimated it gives an adequate level of protection for the freedom and rights of individuals. The Commission adopted adequacy decisions for the following countries: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (Privacy Shield).
- Standard data protection clauses adopted by the Commission. Are contractual clauses that grant some protection rights to parties.
- Standard data protection clauses adopted by a supervisory authority.
- An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights or an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
In the above-mentioned cases, you do not need to notify to DPA cross-border transfer of data because it is considered compliant to the GDPR.
Consider that, you will need to consider the impact of Brexit from January 2021 when UK will no longer be part of European Union.
Here you can find some useful material about data transfer:
- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
- EU GDPR Article 44 – General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
- EU GDPR Article 45 – Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
- EU GDPR Article 46 – Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
- Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
May 13, 2020