GDPR Transfer to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations.

Which countries are third countries?

Third countries are territories outside: EU, EEA, Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom and Uruguay. 

Conditions for transfer to third countries or organizations

If companies are transferring personal data to third countries, the GDPR provides additional conditions.

  1. Article 46 section 2 allows companies to send personal data to third countries, if companies have applied appropriate safeguards, for example binding corporate rules, standard data protection clauses, code of conduct and approved certifications. The most suitable safeguard for companies is model contracts adopted by the European Commission. These contractual clauses regulate the data transfer between data controllers and processors. For example, when a company wants to use cloud services, which are stationed outside of the EU, then they can sign the data processing agreement (DPA) that includes standard contractual clauses.
  2. Article 49 section 1 states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions, for example:
       a) explicit consent from the data subject, company must inform the data subject of all the risks that can occur when the data is transferred there;
       b) transfer of data is necessary for the performance of a contract;
       c) establish, exercise or defense of legal claims.

The transfer of personal data under article 49 is allowed only when it is occasional and necessary. This means that the company must evaluate, how often the personal data is sent and is it necessary to send it to the third country or the same result can be achieved inside the EU. The performance of a contract could be used as a legal ground for example for when travel agents transfer personal data of their individual clients to hotels or other commercial partners that organize their clients’ stay abroad.

Companies have an obligation to document the data transfer to third countries or international organizations under Article 30 (records of processing activities).

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
Why Every Organisation Needs a Solid GDPR Foundation: Lessons from the SportAdmin Breach

Why Every Organisation Needs a Solid GDPR Foundation: Lessons from the SportAdmin Breach

Lesson 1: Privacy Isn’t Optional — It’s a Safety IssueIn the SportAdmin breach, attackers gained access to a database containing...
Is DPO the new AI officer?

Is DPO the new AI officer?

Key Takeaways on AI Compliance and the Role of Privacy Professionals The GDPR Register webinar brought together privacy professionals and...
What Is a DPO? Understanding the Role and Its Importance in GDPR Compliance

What Is a DPO? Understanding the Role and Its Importance in GDPR Compliance

The General Data Protection Regulation (GDPR) establishes the requirement for certain organizations to appoint a Data Protection Officer (DPO). The...
ESG and Data Protection: How GDPR Compliance Drives Sustainable Business Practices

ESG and Data Protection: How GDPR Compliance Drives Sustainable Business Practices

Environmental, Social, and Governance (ESG) compliance has evolved into a critical factor in corporate sustainability. Investors, regulators, and customers now...
Data Transfer Impact Assessments: The Key to GDPR-Compliance

Data Transfer Impact Assessments: The Key to GDPR-Compliance

In today’s globalized business environment, data flows across borders are essential—but they must be secure and compliant with the General...
Is Google Recaptcha GDPR Compliant?

Is Google Recaptcha GDPR Compliant?

Google reCAPTCHA is a popular tool that protects websites from spam and abuse by distinguishing between humans and bots. But...
Your Essential Guide to Developing a Data Breach Response Plan

Your Essential Guide to Developing a Data Breach Response Plan

The General Data Protection Regulation (GDPR) places significant emphasis on securing personal data, particularly in Articles 32-34, which outline requirements...
Biometric Data and GDPR: Key Considerations

Biometric Data and GDPR: Key Considerations

Biometric data is classified by the GDPR as a special category of personal data, subject to enhanced protection. This means...
Why ‘I Don’t Allow Meta’ Posts Don’t Work and What to Do

Why ‘I Don’t Allow Meta’ Posts Don’t Work and What to Do

Every so often, viral posts resurface on Facebook and Instagram declaring:"I do not allow Meta to use my data, pictures,...
GDPR Fine of €475 Million for Netflix: Top 5 Lessons for Everyone

GDPR Fine of €475 Million for Netflix: Top 5 Lessons for Everyone

Netflix is at the centre of a data privacy cliffhanger as the Dutch DPA indicates it is likely to be...