Professional Documents
Culture Documents
November 2018
Given that cross-border transfer of personal data is more frequent and much more sophisticated due to the
recent development of modern technologies, the EU legislators decided to react to this situation. This has
been done by modification of the relevant rules for personal data transfers in the General Data Protection
Regulation (the “GDPR”). The aim of this article is to provide a brief summary of these modified rules and
recommendations on how to effectively address the issue in practice.
Introduction
When we are talking about transfers of personal to transfer data on this basis only to Andorra,
data abroad, we mean transfers to third countries, Argentina, Canada, Switzerland, Israel, USA,
i.e. non-EU countries. There is no need to Uruguay, the Faroe Islands and Guernsey
regulate data transfers within the EU as the legal Islands, Man and Jersey.
framework for personal data protection is fully
harmonized after GDPR. A transfer of personal
data to a third country is any communication, Transfers subject to appropriate
disclosure or other provision of personal data to safeguards
the controller, processor or other recipient in
a third country outside the EU, regardless where GDPR distinguishes between two categories of
the data are physically stored. To legally transfer appropriate safeguards based on which transfers
data to third countries, the conditions of at least to third countries may be carried out. The first
one of the legal grounds defined in GDPR have category includes those safeguards that must be
to be met. These legal grounds are as follows: approved or are created by a Supervisory
Authority or by the European Commission. Once
a) transfer based on an adequacy decision, these safeguards are approved, they can be used
as such. These are as follows:
b) transfer based on appropriate safeguards
and a) binding corporate rules,
The standard contractual clause is a sample text contractual measures taken at the data
of a contract that a controller or a processor from subject's request;
the EU should enter into with a controller or
a processor from a third country. This text may be c) the transfer is necessary for the conclusion
incorporated into another contract or business or performance of a contract concluded in
terms or used as a separate contract. Currently, the interest of the data subject between the
there are standard clauses adopted by the controller and another natural or legal
European Commission on the basis of the person;
formerly valid Personal Data Protection Directive
d) the transfer is necessary for important
which remain in force and can be used. However,
reasons of public interest;
it should be noted that the validity of these
clauses is currently being reviewed by the CJEU e) the transfer is necessary for the
and may therefore be declared as invalid by that establishment, exercise or defence of legal
court. In the past, the CJEU has already claims;
abolished previously used rules for the transfer of
personal data to the US and it is not excluded that f) the transfer is necessary in order to protect
this will happen in this case again. The approved the vital interests of the data subject or of
codes of conduct and the certification mechanism other persons, where the data subject is
are a dead letter of law at the moment. Currently, physically or legally incapable of giving
there is a code of conduct only for cloud services, consent.
and certification mechanisms do not work in
practice at all so far.
What is the most effective way to
The second category of appropriate safeguards
solve transfers of data to third
includes custom contractual clauses, which the
parties prepare themselves. However, these countries?
clauses have to be approved by the Supervisory
The answer to this question depends on the
Authority before they can be used as a basis for
particular situation. The use of one of the
data transfers to third countries
abovementioned exceptions would be
appropriate in cases where an organization
normally does not transfer personal data to third
Transfers based on derogation for
countries, but a rare situation occurs that requires
specific situations a third-country transfer. However, also regular
transfers that qualify for one of the exceptions
In cases where there is neither decision on
may be based on this legal ground.
adequacy, nor appropriate safeguards described
above, a transfer shall take place only in the In most cases, however, it would not be possible
following situations: or practical to use one of the exceptions. The
easiest way, then, is to use standard contractual
a) the data subject has explicitly consented to
clauses as a basis for transfers. However, it is
the proposed transfer, after having been
worth mentioning the ongoing review by the
informed of the possible risks of such
CJEU again. If an organization chooses to use
transfer for the data subject due to the
the current standard clauses and these are
absence of an adequacy decision and
subsequently invalidated, the contractual
appropriate safeguards;
relationships will need to be re-set. This might be
b) the transfer is necessary for the performance time consuming and administratively demanding.
of a contract between the data subject and
Binding corporate rules would be the most
the controller or the implementation of pre-
appropriate instrument for multinational groups
News Flash I Accace Czech Republic I Transfer of personal data abroad
where data transfers abroad are a regular part of where standard contractual clauses are
their business. In these cases, it certainly makes inadequate, and adopting binding corporate rules
sense to adopt unified, sophisticated and robust would be an unnecessarily robust solution.
rules that govern all the transfers. Custom
clauses can be recommended in those cases
Disclaimer
Please note that our publications have been prepared for Want more news like this?
general guidance on the matter and do not represent
a customized professional advice. Furthermore, because
the legislation is changing continuously, some of the
information may have been modified after the publication
has been released. Accace does not take any Subscribe!
responsibility and is not liable for any potential risks or
damages caused by taking actions based on the
information provided herein.
News Flash I Accace Czech Republic I VAT refund from other EU Member State in the Czech Republic
Contact
Ondřej Lukeš
Associate
E-Mail: Ondrej.Lukes@accace.com
Phone: +420 222 753 480
About Accace
About Accace
With more than 550 professionals, over 2000 international companies as customers and branches in 13
countries, Accace counts as one of the leading outsourcing and advisory services providers in Central
With more than
and Eastern 550 professionals, over 2000 international companies as customers and branches in 13
Europe.
countries, Accace counts as one of the leading outsourcing and advisory services providers in Central and
Accace offices
Eastern Europe.are located in Bosnia and Herzegovina,Czech Republic, Croatia, Germany, Hungary,
Macedonia, Montenegro, Poland, Romania, Serbia, Slovakia, Slovenia and Ukraine. Locations in other
European
Accace countries
offices and globally
are located in the are covered
Czech via Accace’s
Republic, Hungary,trusted network
Poland, of partners.
Romania, Slovakia, Ukraine, Bosnia
and Herzegovina, Croatia, Germany, Macedonia, Montenegro, Serbia and Slovenia. Locations in other
More about
European us on www.accace.com
countries and globally are covered via Accace’s trusted network of partners.