Transborder data flow is a transfer of personal data to a recipient who or which is subject to a foreign jurisdiction. Article 44 of the GDPR states “any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization (…)”
Useful? Embed this infographic on your website.
For instance, a simple email containing personal data is sent to a group internal email address, which includes addresses located outside the EU*, already forms an international data transfer.
So, first, it is important to determine the data that an organization collects and process (Data Mapping), covering the categories of data held and processed by each of its departments and the data transfers and disclosures between them and third parties.
The next step would be to define whether the personal data is being transferred to a country outside the EU**; for that, the following points may help your perusal:
- Storage Place of the Personal Data
- Countries or jurisdictions from which the personal data may be accessed
- Entities to which the personal data may be disclosed and the legal grounds for the disclosure
- List of countries or jurisdictions involved in cross-border data flow
Now, due to the increased digitalization and adoption of technologies -e.g. cloud services and data analytics- and, the implementation of regulations with international scope, there is a strong possibility that an organization is transferring personal data abroad on a daily basis.
In view of the above, note that when transferring data internationally the principle of adequate protection has to be respected. In the absence of adequacy decision, Standard Contractual Clauses (“SCC”) Binding Corporate Rules (“BCR”) and specific derogations are alternative transfer tools.
Also note that because of the GDPR, SCCs will also be available for EU based processor and processor in a non-EU country, BCRs will also be available between business partners and it introduces new instruments for international transfers: “Approved Codes of Conduct” and “Certification Mechanism”.
* EU, EEA and CONVENTION 108: Should be noted that the transfer of personal data with another member state of the European Economic Area (EEA) – Iceland, Lichtenstein and Norway – and or another contracting party to Convention 108 are free of restriction as far as it necessary for the internal market.
The lawinfographic of this article aims to provide you with key points to assess whether an international transfer of personal data is taking place and which transfer mechanisms are available under the GDPR.
Each lawinfographic has a visual presentation and keywords that will allow comprehending at a glance the main topic. The articles may contain several examples that have been taken from the EU law, regulations, guidelines and opinions on the matter. If you require more information, do not hesitate to consult the lawinfographic’s sources below or reach me on LinkedIn.
Art.44-50 of the GDPR
Council of Europe Convention 108
Third countries determined by the EU Commission as ensuring adequate level of protection.
Model Contract Clauses
The EU guidelines for the preparation of BCRs