Data protection transfer to third countries

Datenübermittlung in Drittländer

Data transfer to third countries, also referred to as transfer of personal data to third countries, refers to the transfer of personal data from a member state of the European Union (EU) or the European Economic Area (EEA) to a country outside the EU or EEA. This is an important term in the context of the European Union's General Data Protection Regulation (GDPR).

The GDPR contains specific provisions on the transfer of personal data to third countries, as these countries may not offer the same level of data protection as the EU. The GDPR allows the transfer of personal data to third countries under certain conditions:

  1. Adequacy decision: the European Commission may decide that a third country offers an adequate level of protection for personal data. In this case, the transfer to this country can take place without further authorisation.

  2. Adequate safeguards: If there is no adequacy decision, personal data can be transferred to a third country if adequate safeguards for the protection of the data are in place. This may involve contracts with standard data protection clauses (standard contractual clauses) being concluded between the parties to ensure that data protection standards are met.

  3. Binding Corporate Rules (BCR): Multinational companies can develop and have approved BCRs that can be used for the transfer of data within the group of companies to third countries.

  4. Requests for information from third countries: If a third country requests access to personal data, companies must ensure that they comply with the requirements of the GDPR and consult the data protection supervisory authority if necessary.

  5. Consent of the data subject: The data subject can give their express consent to the transfer of data to a third country.