This short guide explains what you need to know about data transfers under the GDPR.
Data transfers are one of the slippery slopes where you can easily violate the GDPR. Despite your best intentions in handling your users’ data, you have to be extremely cautious where you send that data in order to avoid the massive GDPR penalties.
Secure Privacy’s solution doesn’t allow website owners to send data where they are not supposed to. This short guide explains why and shows you the way to compliance.
Data transfer is the act of sending your users’ personal data to someone else in another country outside of the European Union or international organization. Most often it occurs according to a data processing contract.
Explore more privacy compliance insights and best practices
Let’s say that you collect email addresses with Mailchimp. You collect the email address and send it to the Mailchimp database for keeping and managing your email list. The act of sending your user’s email address, which is personal data, to Mailchimp servers is a data transfer.
The GDPR is very protective of personal data, therefore it takes data transfer seriously. The European Union has in place data protection measures on a high level. It allows transferring data only to countries that are up to the challenge of equally high levels of protection. As a result, the GDPR prescribes in detail how you could engage in sharing data with someone else.
The GDPR has a whole chapter (Chapter V) dedicated to data transfers. It clearly set out the rules under which you can send data to third countries.
So, if you want to use a data processing tool which servers are located in another country, you are compliant with the law if you do that on any of the following basis:
The EU has agreements with third countries with an adequate level of data protection. The level is determined according to a set of standards, such as human rights protection, rules of law, laws for the protection of personal data, the existence of supervisory authority for data protection, and others. If the EU is satisfied with those protection levels, it signs an agreement with that country and allows the free transfer of data to them.
The decisions allowing the transfers are called adequacy decisions. You can find the full list of adequate countries here. It is updated every time the EU signs a new agreement with another country.
From all those countries, the relationship between the EU and the USA is a bit complicated. The US is not a fully adequate country, but you can transfer data freely to companies who are certified under the EU-US Privacy Shield.
The EU-US Privacy Shield is a framework for the exchange of data for commercial purposes between the EU and the US which allows free data transfer from any EU company to certified US companies.
This means that if you want to use a tool for processing data located in the US, you can transfer data without restrictions only if the company is certified under the EU-US Privacy Shield. You can search the full list of certified companies here. Make sure you check out if all your US-located data processors are there. To make it quicker, use our GDPR scanner.
If there is no adequacy decision for the country you want to transfer data to, you can transfer it freely on the basis of appropriate safeguard for data protection by the controller or the processor and the data subject, i.e. your user, has legal remedies available.
Simply said, if the third country has no adequate level of protection, the controller or the processor can take measures to compensate for the lack of adequacy of data protection.
They can do it by:
Aside from the free transfer of data on the basis of appropriate safeguards, you can transfer data to a third country upon authorization by the competent supervisory authority. In this case, you’ll also need appropriate standard contractual clauses for data protection.
If there is no adequacy decision and you have no appropriate safeguards in place, you can still transfer data freely outside of the EU, but only in the following cases:
You are completely safe and compliant as long as you transfer data only inside the EU or to an adequate country. That’s the best way to handle your users’ personal data.
Things may get a little bit complicated if you want to send data to a country without an adequate level of protection. You may compensate for the lack of adequacy, but it takes effort which you can skip that by obtaining consent by the user.
Read all about the Schrems II Decision and EDPB Schrems II Guidance on transferring data outside the EU.
Whatever path you choose, make sure you are compliant with the GDPR. If you need an automated solution for GDPR compliance, click here to check out Secure Privacy.
Schedule a call to learn more
