Data Protection Academy » Data Protection Wiki » Data transmission to third countries

Binary numbers over a world map symbolising data transmission to third countries
Note

Since 10 July 2023, a new agreement between the EU and the US has entered into force, the EU-US Data Privacy Framework.

Note

THE EUROPEAN COURT OF JUSTICE (EUGH) DECLARED THE EU-US PRIVACY SHIELD INVALID ON 16.07.2020 (CASE C-311/18).

Data transmission to countries outside the European Union (third countries)

Background

The European Commission has, in accordance with Article 45 (3) DSGVO (General Data Protection Regulation), the possibility to adopt so-called adequacy decisions for the transfer of personal data to countries outside the European Union, so-called third countries. The adequacy decision for a third country states that this country provides adequate protection of personal data in accordance with the GDPR ...is showing.

These adequacy decisions may relate to entire countries or only to parts or sectors of these countries. Monaco is mentioned as an example. Monaco is generally classified as a third country. However, for the financial transactions sector, an adequacy decision has been taken, so that the transfer of personal data allows this context without further action.

If personal data is to be transferred to third countries without an adequate level of data protection outside the EU, the controller (for example, the managing director of a company) must ensure that the data transfer to third countries still complies with the laws of the GDPR. There are several ways to do this, which are briefly explained below.

Variants of data transmission between countries

The following data transmission variants personal data to other countries are distinguished and also taken into account in Robin Data:

  1. Data transmission within the countries of the EU
  2. Data transfer from EU countries to countries with an adequate level of data protection
  3. Data transmission to the USA on the basis of EU-US Data Privacy Framework
  4. Data transfer from EU countries to countries without an adequate level of data protection (third countries)

The cases are briefly explained below from the perspective of a European processor and solutions to the lawful transfer of personal data are presented.

1. Data transmission between countries within the EU

If personal data is transferred to countries within the EU, no further action is necessary from a data protection perspective. All countries within the EU are subject to the GDPR.

Bottom line: The protection of personal data is sufficiently regulated and can be transferred without restriction.

2. Data transmission to countries with an adequate level of data protection

For countries with an adequate level of data protection, no further action is necessary when personal data are transferred to these countries. These countries are therefore privileged: they are treated in the same way as countries within the EU.

Currently, the following countries have an adequate level of data protection (Official EU list of countries with adequate levels of data protection):

      • Andorra
      • Argentina
      • Canada
      • Faroe Islands
      • Guernsey
      • Israel
      • Isle of Man
      • Japan
      • Jersey
      • New Zealand
      • Republic of Korea
      • Switzerland
      • United Kingdom (under the GDPR and the LED)
      • United States (commercial organisations operating on EU-US data protection framework participate)
      • Uruguay

Bottom line: Personal data may be transferred to such countries without further restriction.

Whitepaper: Data protection at company sites and persons in the data protection organisation

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

Part of the white paper on data protection at company sites & persons in the data protection organisation:

  • Get information on Legally permissible data transfers
  • Learn more about the Data protection relevant consideration of different company locations
  • Learn DSGVO-compliant Possibilities of Data transfer to third countries Know
  • Get background information on the Market place principle, third country and group privilege
  • Learn which people Members of the data protection organisation are

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Data transfers to the United States of America (USA)

The USA has only been recognised as a country with an adequate level of data protection since July 2023. The reason for this is the entry into force of the EU-US Data Privacy Framework.

There are a number of ways to make data transfers to the US legally secure. One possibility is to Standard Contractual Clauses (SCC) of the European Commission. The SCCs are a model contract designed to help companies transfer personal data to third countries. The SCCs provide a number of safeguards for data protection, such as requiring the recipient of the data to use the data only for specific purposes and to protect it from unauthorised access.

Another way to make data transfer to the USA legally secure is to use the Use of certification schemes such as the EU-US Privacy Shield. The Privacy Shield is an agreement between the European Union and the United States to ensure data protection in the transfer of personal data between the two regions. Companies participating in the Privacy Shield must comply with strict data protection standards and be regularly certified by an independent auditor.

In the past, the transfer of personal data was regulated by the so-called Safe Harbor Agreement between the EU and the USA in such a way that personal data could be transferred to the USA in accordance with the law. The Safe Harbor Agreement was declared invalid by the European Court of Justice in October 2015.

For this reason, a successor agreement was adopted, the EU-US Privacy Shield. The Privacy Shield was adopted by the European Commission in July 2016 and was declared invalid by the European Court of Justice on 16 July 2020. The successor is the EU-US Data Privacy Framework, the so-called "Privacy Shield 2.0".

Data transmission to third countries

The transfer of personal data to third countries is generally prohibited. However, a transfer of such data is possible if special measures are taken.

These measures are:

  1. Implementation of company-wide guidelines that govern data protection within a company and its subsidiaries, so-called Binding Corporate Rules
  2. The use by the EU of predefined contracts, so-called EU standard contractual clausesto regulate the transfer of personal data with third party companies.
Prof. Dr. Andre Döring

This might interest you too:

The EU-U.S. Data Privacy Framework

On 10 July 2023, the EU-U.S. Data Privacy Framework entered into force. All background information on the adequacy decision.

The Supply Chain Act (LkSG)

The Supply Chain Act (LkSG) came into force on 01.01.2023. Learn about the current regulations and obligations for companies in the article.
IT security incident

What to do in the event of an IT security incident?

The most important facts about IT security incidents. Learn practical tips on recognising and dealing with IT emergencies in the article.