Skip to Content

GDPR - Transfers on the Basis of an Adequacy Decision - Legal Contracts for Third Countries or International Orgs

415  Matthew Burdick September 28, 2022  Transfers on the Basis of an Adequacy Decision

Recital - 101.
General Principles for International Data Transfers
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
Flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organizations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organization to controllers, processors in the same or another third country or international organization. In any event, transfers to third countries and international organizations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organizations are complied with by the controller or processor.
 
Recital - 102.
International Agreements for an Appropriate Level of Data Protection
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organizations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.
 
Recital - 103.
Appropriate Level of Data Protection Based on an Adequacy Decision
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organization, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organization which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organization may take place without the need to obtain any further authorization. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organization, to revoke such a decision.
 
Recital - 104.
Criteria for an Adequacy Decision
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States’ data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
 
Recital - 105.
Consideration of International Agreements for an Adequacy Decision
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
Apart from the international commitments the third country or international organization has entered into, the Commission should take account of obligations arising from the third country's or international organization's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organizations.
 
Recital - 106.
Monitoring and periodic review of the level of data protection
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organization, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organization in question and take into account all relevant developments in the third country or international organization. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (12) as established under this Regulation, to the European Parliament and to the Council.
 
Recital - 107.
Amendment, Revocation and Suspension of Adequacy Decisions
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organization no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organization should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organizations. The Commission should, in a timely manner, inform the third country or international organization of the reasons and enter into consultations with it in order to remedy the situation.
 
Recital - 108.
Appropriate Safeguards
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organizations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorization by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.
 
Recital - 109.
Standard Data Protection Clauses
Executive Summary
You can only transfer data to Jurisdictions authorized to manage data in accordance with GDPR regulations.
Recital Text
The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.
 
Recital - 110.
Binding Corporate Rules
Executive Summary
Operations with locations in the EEA can transfer data within the organization to overseas operations; but GDPR still applies.
Recital Text
A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organizations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
 
Recital - 115.
Rules in Third Countries Contrary to the Regulation
Executive Summary
You can only transfer data out of the EEA if the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
1. the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
1. You can only transfer data out of the EEA if
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
2. The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organization may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
Recital Text
Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
Executive Summary
If it is absolutely necessary to transfer data out of GDPR jurisdiction additional safeguards must be put in place. Risk assessments should be done before each transfer based on the amount of data, data type, risks associated with data exposure or loss, strength of data protection used by the 3rd party, and risk appetite of the business.

Before the risk assessment it is recommended to have the following in place:

- Binding Legal Contracts between the two entities ensuring adequate data privacy and protection
- Technical and non-technical audit of the 3rd parties information security and data privacy practices
- Prior experience doing business with the 3rd party
- Understanding of how the country where the 3rd party resides regards the rule of the law
- Consultation from a Supervisory Authority
Not Rated
Secure Code