If you want to transfer personal data outside of the EEA then there are rules that you must adhere to.
These rules apply no matter the size the data transfer and regardless of the number transfers that are carried out. So how do you make a restricted transfer under GDPR?
What is a restricted data transfer?
A data transfer is said to be restricted if:
- The GDPR applies to your processing of the personal data that you are transferring
- You are sending ( or making accessible) the personal data to a receiver to which the GDPR does not apply. This would be a country outside of the EEA.
- The receiver is a separate individual or organisation, be warned this also means transfers to another company that is within the same corporate group.
How to make a restricted transfer in accordance with GDPR
- Is the restricted transfer covered by an adequacy decision? – You must check if there is an adequacy decision for that country in place, countries which have an adequacy decision is here.
- In the absence of an adequacy decision the restricted transfer is allowed if the controller or processor has put appropriate safeguards in place- ‘appropriate safeguards’ are listed in the GDPR Article 46
Appropriate safeguards are:
a. A legally binding and enforceable instrument between public authorities or bodies
b. Binding corporate rules
c. Standard Contract Clauses as adopted by the commission
d. Standard Contract Clauses adopted by a supervisory authority and approved by the commission
e. An approved code of conduct together with binding and enforceable commitments of the controller and processor outside the EEA
f. An approved certification mechanism together with enforceable commitment of the controller and processor outside of the EEA
Is the restricted transfer covered by an exception?
Article 49 GDPR Derogations for specific situations.
If your restricted transfer isn’t covered by an adequacy decision nor by the safeguards as listed above then you must rely on the exceptions as per Article 49 GDPR. These exceptions allow transfers in specific situations such as based on consent, for the performance or conclusion of a contract, for the exercise of legal claims, to protect the vital interests of the data subject where they cannot give consent or for important reasons of public interest.
The exceptions are:
- The data subject has given explicit consent for the proposed transfer
- You have a contract with the individual and the transfer is necessary for the performance of that contract or you are about to enter into the contract and the individual has requested the transfer
- You have or are entering into a contract with the individual which benefits another individual whose data is being transferred
- The transfer is necessary for reasons of public interest
- The transfer is necessary for the establishment, exercise or defence of legal claims
- The transfer is necessary to protect the vital interests of the data subject and or other persons where the data subject is uncapable of giving consent
- The transfer is from a public register to provide information to the public
For further information on international data transfer under GDPR you can consult the ICO