When implementing the GDPR, international transfer of personal data is one of the biggest challenges for a group of companies. This is because, usually, the company members share personal data between each other or send personal data to a group of enterprises engaged in the same economic activity which are not always located in the EU or in a country recognised for offering adequate protection.
Useful? Embed this infographic on your website.
Now, there are several options to transfer Personal Data outside the EU. However, for companies with members or business partner located in third countries not recognized as offering adequate protection -because of Brexit may include the UK- the most cost-effective (1) legal options available (2) are Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCR”).
By using the SCCs, data controllers can export the data to recipients in third countries by agreeing and signing the SCCs; by using the BCR, the group of enterprises will be able to use their internal rules for international transfers of personal data within the same corporate group or business partners located in third countries with not an adequate level of protection.
Both mechanisms are subject to provide the supervisory authorities with enough proof that adequate safeguards are in place; and under any circumstance, the instruments are allowed to replace the data protection obligations bound by law.
There is no one-size-fits-all approach, the assessment of which mechanism is the best to enable the free data flow within an organization or between partnership companies shall be done in a case by case basis. Otherwise, a company can implement a mechanism that does not match its needs and can increase its costs without justification or not cover all its activities bringing substantial legal, operational and reputational risk.
The lawinfographic prepared for this article aims to provide an overview of the advantages and disadvantages of the SCCs and the BCR. This should help legal specialists in the field of data protection to assess which is the best mechanism to enable the free data flow within an organization. Also, it seeks to provide individuals with knowledge about the international transfer of personal data in multinational companies
Each lawinfographic has a visual presentation and keywords that will allow any person to comprehend at a glance the main topic. The lawinfographic and article contain several examples that have been taken from the EU law, regulations, guidelines and opinions on the matter and have been precisely referred in the documents. If you require more information, do not hesitate to consult the lawinfographic sources below each article o reach me in Linkedin.
(1) The Ad Hoc contractual clauses agreements and derogations are also available as an instrument for international transfers; however, both create a framework for a particular data flow, hence do not work for a large number of data flows for various purposes as necessary in a multinational or between business partners.
(2) It should be noted that the GDPR introduced the “approved codes of conduct” and the “certification mechanism” as new instruments for international transfers. However, the “approved codes of conduct” may be drafted by associations or other bodies representing the controllers or processors and must be submitted to the supervisory authority for approval; and the “certification mechanism” requires further action by the Data Protection Authority / European Data Protection Board; hence both instruments are not available yet. Plus, is also mandatory an additional binding and enforceable commitments of the recipient in the third country which guarantees the use of appropriate safeguard, particularly regarding data subjects’ rights.
Recitals 95/46 and Art. 47/63/22/79/13/14/37/93 of the GDPR
Handbook on European Data Protection law
Law Infographic in Relation to European Standard Contractual Clauses
data-protection/international- transfers/binding-corporate- rules/tools/index_en.htm
The EU guidelines for the preparation of BCRs
data-protection/international- transfers/binding-corporate- rules/bcr_cooperation/index_ en.htm
List of companies for which the EU BCR cooperation procedure is closed