The General Data Protection Regulation (GDPR): What About Data Stored or Transmitted Outside the EU? Written by: Rutger Ketting of Nysingh advocaten-notarissen N.V. (Apeldoorn, The Netherlands - TAGLaw).

1. GDPR
Transfer of personal data outside
the European Economic Area
Rutger Ketting

2. Introduction
1. Introduction
2. Adequacy decisions
3. Transfer mechanisms
4. Derogation of specific situations
5. EU – US Privacy Shield

3. Adequacy decisions
• Decision of the European Commission that third country ensures adequate level of
protection of personal data.
• General approval, no specific authorisation required for individual transfers.
• Adequacy decisions for (https://ec.europa.eu/info/strategy/justice-and-fundamental-
rights/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-
eu-countries_en):
– Andorra
– Argentina
– Canada
– Faroer Islands
– Guernsey
– Israel
– Isle of Man
– Jersey
– New Zealand
– Switzerland
– Uruguay and the US (limited to the Privacy Shield framework)
• Adequacy talks are ongoing with Japan and South Korea.
• Decisions do not cover exchange of data in law enforcement sector.
3

4. Transfer mechanisms
4
Existing mechanisms
1. Standard contractual clauses
2. Binding corporate rules
New mechanisms
1. Standard contractual clauses certified by national DPA
2. Approved code of conduct
3. Approved certification mechanism

5. Standard contractual clauses
• Adopted by the EU Commission or adopted by the supervisory authority and
approved by the EU Commission.
• SCC adopted by the Commision under the Data Protection Directive
(95/46/EC) remain valid until amended/replaced/repealed.
• SCC currently available (https://ec.europa.eu/info/strategy/justice-and-
fundamental-rights/data-protection/data-transfers-outside-eu/model-contracts-
transfer-personal-data-third-countries_en )
– EU controller to non-EU or EEA controller
• decision 2001/497/EC
• decision 2004/915/EC
– EU controller to non-EU or EEA processor
• decision 2010/87/EU
5

6. Binding corporate rules
• International rules for data transfers within multinational companies. i.e.
internal code of conduct.
• Binding corporatie rules must:
– contain privacy principles (e.g. transparancy, data quality, security)
– contain tools of effectiveness (audit, training, compliancy systems)
– be binding and enforced by every member of the group of undertakings concerned
– Expressly confer enforceable rights on data subjects
– Meet requirements set out in working papers adopted by WP 29 (WP 153)
• Article 47 (2) GDPR contains minimum requirements
• Binding corporate rules must be approved by competent supervisory authority
6

7. Binding corporate rules
• Approximately 90 corporations with BCR’s:
7

8. Codes of conduct
• Associations and other bodies representing categories of controllers or
processors may prepare codes of conduct.
• Approval by competent supervisory authority is required.
• Controllers/processors in third countries must make binding and
enforceable commitments via contractual or other legally binding
instruments to provide for the appropriate safeguards required by the
code of conduct including the safeguards with regard to the rights of data
subjects.
8

9. Certification
• Certification by certification bodies that are accredited by the competent
supervisory authority or the national accreditation body pursuant to regulation
No 765/2008).
• Certification shall be voluntary.
• Controllers/processors in third countries must make binding and enforceable
commitments via contractual or other legally binding instruments to provide
for the appropriate safeguards required for the certification including the
safeguards with regard to the rights of data subjects.
9

10. Derogation for specific situations
– Explicit consent: Data subject has provided explicit consent after having been
informed of possible risks of transfer due to absence of adequacy
decision/appropriate safeguards (not applicable for public authorities in the exercise
of their public powers); or
– Necessity: The transfer is necessary for:
• the performance of a contract between the data subject and the controller or for the
implementation of precontractual measures at the data subject’s request (not
applicable for public authorities in the exercise of their public powers); or
• the conclusion or performance of a contract concluded in the interest of the data
subject between the controller and another legal or natural person. (not applicable
for public authorities in the exercise of their public powers); or
• important reasons of public interest recognised by Union Law or member state law to
which the controller is subject. Law must set limits to transfer; or
• Establishment, excersise or defence of legal claims; or
– Vital interest: The transfer is necessary in order to protect the vital interrest of the
data subject or other persons, where the data subject is physically or legally
incapable of giving consent; or
– Public registers: The transfer is made from a register which according to Union or
member state law is intended to provide information to the public.
10

11. Derogation for specific situations
– Extra exception (NEW under GDPR)
Requirements:
• The transfer is non-repetitive; and
• Concerns a limited number of data subjects; and
• And is necessary for the purposes of compelling legitimate interests pursued by
the controller which are not overridden by the interests and rights and freedoms of
the data subject; and
• The controller has assessed all circumstances surrounding the transfer and has
provided suitable safeguards with regard to the protection of data.
• When this exception is used, the controller shall inform the supervisory authority
of the transfer and shall inform the data subject of the legitimate compelling
interests pursued.
11

12. US-EU Privacy Shield Framework
• Adopted 12 July 2016, Effective 1 August 2016
• Agreement between EU and US.
– Only applies to US Companies that have registered to by on the privacy shield list
(https://www.privacyshield.gov/list ).
– Registration requires self-certification that company meets the high data protection
standards set out by the arrangement. Registration must be renewed every year.
– strong data protection obligations on companies receiving personal data from the
EU.
– Enforcement by US Department of Commerce and the Federal Trade Commission
(FTC).
– Increased cooperation with the European Data Protection Authorities.
– safeguards on US government access to data.
– effective protection and redress for individuals.
– an annual joint review by EU and US to monitor the correct application of the
arrangement.
• Replaces Safe Harbor Principles (declared invalid by European Court of
Justice decision of 6 October 2015).
• Challenges pending (first challenge dismissed on procedural grounds in
November 2017).
12

13. Contact details
13
Company details
Nysingh advocaten – notarissen N.V.
Phone: 0031 38 425 92 00
Website: www.nysingh.nl
Personal details
Rutger Ketting
Mobile: 0031 6 306 48 127
Email: R.Ketting@nysingh.nl