When transferring data to a country outside the EU and the EEA, a distinction must be made between two different types of countries:

1. Countries classified as safe by the European Commission
2. Countries that have an inadequate level of data protection from a European perspective.

In case 2, either an exception is required (e.g. the consent of the data subject) or a so-called guarantee. One possible guarantee is, for example, the conclusion of so-called EU standard contractual clauses: a contract pre-formulated by the EU Commission in which the importer of the data undertakes to comply with European data protection law. However, it cannot always be assumed that what is agreed in the contract can realistically be implemented, for example if national security regulations run counter to compliance with the content of the contract. In such cases, additional protective measures must be taken, e.g. encrypting the data before it is sent.

According to Art. 45 Para. 1 GDPR, “[a] transfer of personal data to a third country or an international organisation may take place where the [European] Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.”

The Commission has adopted a so-called “adequacy decision” so far with respect to the following countries: Andorra, Argentinia, Canada (limited to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom. Data transfers to such countries are treated equally as transfers within the EU/ EEA.

On the contrary, transfers to so-called unsafe third countries – countries that, from the EU’ Commission’s perspective do not provide an adequate data protection regime – regularly require a special “safeguard” to ensure a compliant processing.

Among the possible safeguards for data transfers to unsafe countries listed in Art. 46 Para. 2 GDPR are the so-called “Standard Data Protection Clauses” adopted by the European Commission. The Clauses contain mandatory rules partly individually designed for the four possible transfer constellations: EU-controller to non-EU-controller, EU-controller to non-EU-Processor, EU-processor to non-EU-processor and EU-processor to non-EU-controller. For instance, the Clauses’ module for EU-controller to non-EU-processor must be chosen where the solutions of a US IT service provider are sought, provided that the latter is able to access the controller’s personal data in the course of the service provision.

A suitable alternative to the Standard Data Protection Clauses regarding data transfers occurring between companies of the same business group are the so-called “Binding Corporate Rules” for which Art. 47 Para. 2 GDPR stipulates basic content requirements.

Neither the Standard Data Protection Clauses nor the Binding Corporate Rules need to be put in place if a derogation according to Art. 49 Para. 1 GDPR applies. Important examples for such derogations are the data subject’s explicit consent to the transfer (Art. 49 Para. 1 lit. a GDPR) and the transfer’s necessity “for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request” (Art. 49 Para. 1 lit. b GDPR).

Depending on the guarantee or exception on which the data transfer is based, different measures need to be implemented. In the case of standard contractual clauses, for example, the focus is on concluding the corresponding modules (and implementing additional protective measures if necessary).