Transfer of personal data to a third country
Do you process personal data that someone outside the EU has access to? Do you use service providers outside the EU? Do you store personal data in a cloud service? In the General Data Protection Regulation this is called 'transfer of personal data to a third country'. Such transfer is only permitted under certain conditions.
Why are special rules needed for transfers of personal data outside the EU/EEA?
Under the General Data Protection Regulation all the member states of the European Union have equivalent protection of personal data. This also applies in the EEA countries. Personal data can thus be transmitted freely within this area without any restrictions.
Outside the EU/EEA, there are no general rules that provide equivalent protection. The General Data Protection Regulation therefore contains rules concerning under what conditions it is permitted to transfer personal data to countries outside the EU/EEA.
When are transfers outside the EU/EEA permitted?
It is permitted to transfer personal data to countries outside the EU/EEA under certain conditions:
- There is a decision from the European Commission that, for example, a certain country outside the EU/EEA ensures an adequate level of protection.
- You have put in place appropriate safeguards, for example Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC).
- Specific situations and single cases (derogations).
When relying on one of the transfer tools listed in Article 46 GDPR, such as SCC or BCR, it must be assessed whether the safeguards contained in the transfer tool can ensure, in practice, the effective protection of the transferred personal data. Or, whether supplementary measures need to be implemented, in order to ensure a level of protection that is essentially equivalent to that guaranteed within the EU. In cases where no such supplementary measures are suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data.
EDPB has adopted recommendations on supplementary measures.
Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
What does 'transfer of data to a third country' mean?
Transfer of personal data to a third country is as a rule when personal data is sent of made available to a receiver outside the EU/EEA.
N.B. Publishing personal data on the Internet does not constitute a transfer to a third country if the website is stored with an Internet provider that is established in the EU.
Examples of transferring personal data to a third country:
- When you send documents that contain personal data by e-mail to a receiver in a country outside the EU/EEA.
- When you use a processor in a country outside the EU/EEA.
- When you give someone outside the EU/EEA access, for example reading rights, to personal data stored within the EU/EEA.
- When you store personal data in a cloud service that is based outside the EU/EEA.
EDPB has adopted guidelines on the Interplay between Article 3 and Chapter V of the GDPR, including an interpretation of the notion of transfer to a third country.
Guidelines 05/2021 on the Interplay between Article 3 and Chapter V of the GDPR
How do we know if a third country has an adequate level of protection?
The European Commission can decide that a third country ensures a sufficiently high level of protection and you may then transfer personal data there without any further safeguards being necessary. In the General Data Protection Regulation this is called 'adequate level of protection'. This can also apply to a certain territory, an international organisation or one or several sectors in a third country.
When the European Commission takes a decision concerning an adequate level of protection, they examine, among other things, the country's national laws and international commitments, what possibilities the data subjects have for judicial redress, and if the country respects human rights and fundamental freedoms. The European Commission also checks that there is an independent supervisory authority that is responsible for ensuring that the data protection rules are complied with and that can assist and advise the data subjects.
N.B. Unlike in the Personal Data Act, there is no room for the controller to itself decide whether an adequate level of protection exists or not. Only the European Commission can take such a decision.
Countries that have an adequate level of protection
The European Commission has decided that the level of protection in these countries is adequate, that is to say sufficiently high according to the General Data Protection Regulation:
- Bailiwick of Guernsey
- Faroe Islands
- Isle of Man
- New Zealand
- South Korea
- United Kingdom
The European Commission has also assessed that the level of protection is adequate in certain areas or under special conditions in the following countries:
- Canada, if their legislation for protection of personal data in the private sector is applicable to the recipient's personal data processing.
Privacy Shield is no longer a valid mechanism for transfers to USA – new adequacy decision on its way
Privacy Shield is a mechanism for self-certification that exists in the United States. According to a previous adequacy decision from the European Commission, exporters within the EU/EEA were permitted to transfer personal data to recipients having joined Privacy Shield. In the Schrems II judgement on 16 July 2020, the European Court of Justice found however that Privacy Shield was no longer a valid mechanism for transfer of personal data to the Unites States.
On 25 March 2022, it was announced that the European Commission and the United States had reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework. Then, on 7 October 2022, president Biden signed an Executive Order aiming at implementing the agreement. On 13 December 2022, the European Commission published a new draft adequacy decision, concluding that the United States ensures an adequate level of protection for personal data transferred from the EU to companies in the United States having joined the framework.
The European Data Protection Board (EDPB) adopted an opinion on the draft adequacy decision on 28 February 2023, where it welcomes substantial improvements under the framework, but also expresses concerns and requests clarifications on several points. The European Commission will now seek approval from a committee composed of representatives of the EU Member States. Once this procedure is completed, the European Commission can proceed to adopting the final adequacy decision.
Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework
EDPB press release on Opinion 5/2023 on the draft adequacy decision
How do we provide appropriate safeguards?
Personal data may be transferred to a country outside the EU/EEA if you put in place appropriate safeguards:
- Binding Corporate Rules
- Standard Contractual Clauses that the European Commission has decided on
- Approved codes of conduct or certification mechanisms
- Legally binding instruments between authorities
- Ad hoc clauses authorised by IMY
- Administrative arrangements between authorities authorised by IMY.
This is provided that enforceable data subject rights and effective legal remedies for data subjects are also available.
Binding Corporate Rules
Binding Corporate Rules (BCR) are personal data protection policies that a corporate group with entities in various countries can develop and use as a tool for transfers within that same group. Binding Corporate Rules must be approved by the Swedish Authority for Privacy Protection or another supervisory authority within the European Union.
The General Data Protection Regulation contains detailed provisions concerning what binding corporate rules must contain and how the supervisory authority shall process applications to have binding corporate rules approved. Before a supervisory authority can approve binding corporate rules it must request an opinion from the European Data Protection Board, where all supervisory authorities within the EU/EEA are represented.
Standard Contractual Clauses (SCC) adopted by the European Commission
On 4 June 2021, the European Commission adopted new standard contractual clauses (SCC) for transfer of personal data to third countries. If you enter into a contract that contain these standard contractual clauses with someone outside the EU/EEA, it is as a rule permitted to transfer data to them. As mentioned above, in some situations, you may also need to implement supplementary measures. Note that you are not allowed to make amendments to the clauses. You may, however, add clauses or incorporate the standard contractual clauses into a broader commercial contract, but the other clauses must not contradict the standard contractual clauses or prejudice the rights of data subjects.
Standard contractual clauses contain obligations for both controllers and processors transferring personal data to countries outside the EU/EEA (exporters) and controllers or processors who receive such data (importers). The clauses also regulate other matters concerning the transfer, for example the data subjects' rights and how disputes arising from the contract are to be settled.
The standard contractual clauses cover various transfer scenarios, namely transfers from (i) controller to controller, (ii) controller to processor, (iii) processor to processor and (iv) processor to controller. You should only use the module applicable to your situation.
For transfers from a controller to a processor, the requirements in Article 28(3) GDPR have been incorporated into the standard contractual clauses, which means that there is no need for the parties to enter into a separate processor agreement. The standard contractual clauses also contain a voluntary so called “docking clause” should the parties want to let additional parties join the contract in the future.
Note that the standard contractual clauses provide appropriate safeguards for transfers by exporters whose data processing is subject to the GDPR to importers whose processing of the data is not subject to the GDPR. The European Commission has however indicated that it is in the process of developing an additional set of standard contractual clauses for the scenario where the GDPR is applicable to the processing of the importer.
The standard contractual clauses, as well as a document with questions and answers, can be found on the website of the European Commission.
Standard Contractual Clauses for International Transfers
N.B. These new standard contractual clauses replace the three sets of standard contractual clauses that were adopted under the previous Data Protection Directive 95/46/EC and, thus, it is no longer possible to rely on those earlier standard contractual clauses for data transfers to third countries.
Codes of conduct and certification mechanisms
If a controller or processor adheres to an approved code of conduct or certification mechanism, it may be permitted to transfer personal data to such importer in a country outside the EU/EEA. This applies provided that the importer makes binding and enforceable commitments to apply the appropriate safeguards provided by the code or the certification mechanism.
EDPB has adopted guidelines on codes of conduct as a transfer instrument.
Guidelines 04/2021 on Codes of Conduct as tools for transfers
EDPB has also adopted guidelines on certification as a transfer instrument.
Guidelines 07/2022 on Certification as a tool for transfers
Legally binding instruments between authorities
It is permitted to base a transfer of personal data to a country outside the EU/EEA on a legally binding and enforceable instrument if the transfer takes place between authorities. Such an instrument between authorities may be a memorandum of understanding or an information exchange agreement within, for example, the tax area.
EDPB has adopted guidelines on legally binding and enforceable instruments (as well as administrative arrangements) between public authorities or bodies.
Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Authorisation by the Swedish Authority for Privacy Protection
You may also transfer personal data to a country outside the EU/EEA if you have received an authorisation from the Swedish Authority for Privacy Protection.
Such authorisation can be issued if the transfer is based on contractual clauses between the entity transferring the personal data and the recipient of the data (so called “ad hoc clauses”). Where transfers of personal data between authorities are concerned, an authorisation can also be issued if the transfer is based on provisions in administrative arrangements which include enforceable and effective data subject rights. Before the Swedish Authority for Privacy Protection decides on such authorisation, an opinion must be obtained from the European Data Protection Board, where all supervisory authorities within the EU/EEA are represented.
EDPB has adopted guidelines on administrative arrangements (as well as legally binding and enforceable instruments) between public authorities or bodies.
Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Specific situations and single cases (derogations)
In certain cases it may be permitted to transfer personal data to a country outside the EU/EEA even if the country does not provide for an adequate level of protection and despite appropriate safeguards not having been put in place. However, always first consider whether you really need to make the transfer. Are there other solutions? The requirements for transferring personal data are strict and you need to analyse the risks for the data subjects carefully.
Personal data may be transferred to a country outside the EU/EEA if
- the data subject has explicitly consented to it after having been informed about the risks involved with transfers taking place in the absence of an adequacy decision or appropriate safeguards
- it is necessary for the performance of a contract with the data subject or to carry out measures, at the data subject's request, before entering into such a contract
- it is necessary for the conclusion or performance of a contract with someone other than the data subject, if it is in the interest of the data subject
- it is necessary for important reasons of public interest, which are recognised in national law or EU law
- it is necessary in order to establish, exercise or defend legal claims
- it is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is (physically or legally) incapable of giving consent, or
- the transfer, subject to certain conditions, is made from a register which according to national law or EU law is intended to provide information to the public.
Finally, a transfer of personal data to a country outside the EU/EEA is permitted if it
- is occasional and not repetitive,
- concerns a limited number of data subjects, and
- takes place after a weighing of interests.
When you make such a weighing of interests the transfer must be necessary for purposes that concern your compelling and legitimate interests and you must weigh these against the data subject's interests, rights and freedoms. If the data subject's interests weigh more heavily, you cannot transfer the personal data. You must also assess all circumstances with regard to the transfer and provide suitable safeguards to protect the personal data. You must inform both the Swedish Authority for Privacy Protection and the data subjects of the transfer and on the compelling legitimate interests that you wish to achieve.
EDPB has adopted guidelines on the application of derogations for specific situations in the context of transfers of personal data to third countries.
Guidelines 2/2018 on derogations of Article 49 under GDPR
About the information on this page
If the information in English is different from the Swedish version of this page, the Swedish version applies.