The document outlines the implications of the General Data Protection Regulation (GDPR) concerning cross-border data transfers, emphasizing the requirement for compliance by May 25, 2018. It details the criteria for adequacy decisions, allowed safeguards for data transfers in the absence of such decisions, and various exceptions under which data can be transferred internationally, including explicit consent and public interest. The document also highlights the need for continuous review and the establishment of binding agreements to ensure data protection compliance.

1. pi | contact@3-14.com | www.3-14.com
GDPR – Cross-Border Data Transfers

2. 2 | pi © 2018 pi | contact@3-14.com | www.3-14.com
• Update of the 1995 Data Protection Directive concerning the
protection of natural persons with regard to the processing of
personal data and the free movement of such data
• Impacts all health data processing companies because of the
growing importance of customer and patient data to the
manufacturer’s business
• Most new rules and regulations do not allow grandfathering
• Member States will have the opportunity to maintain or
introduce further conditions with regard to the processing of
genetic data, biometric data and data concerning health
• All companies have to be compliant by 25th May 2018
GDPR - general

3. pi | contact@3-14.com | www.3-14.com
Adequate Jurisdictions

4. 4 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfers are allowed when the transfer is being
made to an Adequate Jurisdiction. This implies that the third
country has received an Adequacy Decision from the European
Commission.
The Adequacy Decision is influenced by:
• Legal protections for human rights and fundamental freedoms
• Rule of law
• Access of public authorities to transferred data
• The existence of Data Protections Authorities and their
functioning
• Other international commitments and obligations regarding the
protection of personal data
Data Transfer to Adequate
Jurisdictions

5. 5 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Adequacy Decisions are subject to regular review by the
European Commission:
• Adequacy Decisions are periodically reviewed, at least every
four years
• Following the review, the status of Adequate Jurisdiction can
be repealed, amended or suspended by the European
Commission
• Any change made to the Adequacy Decision following a
review is not implemented retro-actively
Review of Adequacy Decision

6. pi | contact@3-14.com | www.3-14.com
Allowed safeguards

7. 7 | pi © 2018 pi | contact@3-14.com | www.3-14.com
In the absence of an Adequate Decision, a number of safeguards are allowed as a basis for
Cross-Border Data Transfers:
• Agreements between Public Authorities
• Binding Corporate Rules
• Model Clauses
• DPA Clauses
• Codes of Conduct
• Certification
Allowed safeguards

8. 8 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfers are allowed between public authorities:
• Based on legally binding and enforceable agreements between these public authorities
• Does not require any specific Data Protection Authority (DPA) authorisation
• The public authorities ensure that the agreement is compliant with all GDPR requirements
Agreements between Public
Authorities

9. 9 | pi © 2018 pi | contact@3-14.com | www.3-14.com
In accordance with Article 47, Cross-Border Data Transfers are allowed based on Binding
Corporate Rules (BCR):
• The Binding Corporate Rules requires the approval by the competent DPA
• Following the approval, no further DPA approval is necessary for personal data transfers made
under the BCR
Binding Corporate Rules

10. 10 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Model Clauses are standard data protection clauses, as approved by the European Commission.
DPA Clauses are the national alternatives to these Model Clauses.
In both cases, any further DPA authorisation is not required.
Model Clauses & DPA Clauses

11. 11 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfers can take place on the basis of an approved Code of Conduct,
including binding and enforceable commitments of the controller or processor in the third country.
Transfers made on this basis do not require DPA approval. The Code of Conduct itself however
does require a DPA approval.
Codes of Conduct

12. 12 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfers can take place on the basis of a DPA-approved Certification,
together with binding and enforceable commitments of the controller or processor to apply all
appropriate safeguards.
Transfers made on this basis do not require DPA approval. The Certification itself however does
require a DPA approval.
Certification

13. pi | contact@3-14.com | www.3-14.com
Derogations

14. 14 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Next to transfer to Adequate Jurisdiction or under the allowed Safeguards, a number of
exceptions from the GDPR on the transfer of personal data outside the EU without adequate
protections are possible:
• Specific situations related to the Data Subject
• Public Interest
• Legal Claims
• Public Register
• Compelling Legitimate Interests
• Administrative Arrangements
• Third Country Judgement and Decisions
Possible Derogations

15. 15 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfer is possible whenever:
• The Data Subject has given explicit consent, after having been clearly informed of all risks
related to such a transfer.
• The transfer is necessary for the performance of a contract between data subject and data
controller or the implementation of pre-contractual measures taken in response to the data
subject’s request.
• The transfer is necessary for the performance or conclusion of a contract between data
controller and a third party, provided the transfer is in the interest of the data subject.
• The transfer is necessary in order to protect the data subject’s or other persons’ vital
interests, provided the data subject is physically or legally incapable of giving consent.
Specific situations related to the Data
Subject

16. 16 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfer is possible when the transfer is necessary for important reasons of
public interest
The cited reasons of public interest need to be recognised in the European Union’s law or in the
law of the Member Stats to which the data controller is subject.
Public Interest

17. 17 | pi © 2018 pi | contact@3-14.com | www.3-14.com
The transfer is necessary for the establishment, exercise or defence of legal claims.
Legal Claims

18. 18 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfer is allowed when the transferred data are taken from:
• From a register which is open to the public
• Or a register that is, upon request, open to any person who can demonstrate a legitimate
interest in inspecting it
However, this derogation does not permit the Cross-Border Data Transfer of the entire register.
Public Register

19. 19 | pi © 2018 pi | contact@3-14.com | www.3-14.com
Cross-Border Data Transfer is possible on the basis of administrative arrangements between
different public authorities, provided that the data subject’s rights are adequately protected.
These transfers require approval from the relevant DPA.
Administrative Arrangements

20. 20 | pi © 2018 pi | contact@3-14.com | www.3-14.com
A judgment from a third country, requiring a Cross-Border Data Transfer, only provides a lawful
basis for such a transfer if the transfer is based on an appropriate international agreement, such
as a Mutual Legal Assistance Treaty.
These transfers require approval from the relevant DPA.
Third country judgements and
decisions

21. 21 | pi © 2018 pi | contact@3-14.com | www.3-14.com
The final possible derogation allows for great flexibility but also requires a strict and detailed
internal documentation.
If a Data Transfer is not possible based on any of the derogations above, a transfer to a third
country or international organisation is possible for the purpose of compelling legitimate
interests if:
• The transfer is not repetitive
• It concerns a limited number of data subjects
• Suitable safeguards are put in place for the personal data
• The cited legitimate interests do not override the interests or rights and freedoms of the data
subjects concerned
• Both the relevant DPA’s and the data subjects are informed about the transfer
Compelling legitimate interests

22. 22 | pi © 2018 pi | contact@3-14.com | www.3-14.com
General Data Protection Regulation
Transfers of personal data to third countries or international organisations
Chapter 13: Cross-Border Data Transfers – Unlocking the EU General Data Protection Regulation
Top 10 operational impacts of the GDPR: Part 4 - Cross-border data transfers
Sources