When implementing the GDPR, international transfer of personal data is one of the biggest challenges for a group of companies. This is because, usually, the company members share personal data between each other or send personal data to a group of enterprises engaged in the same economic activity which are not always located in the EU or in a country recognised for offering adequate protection.
Useful? Embed this infographic on your website.
Now, there are several options to transfer Personal Data outside the EU. However, for companies with members or business partner located in third countries not recognized as offering adequate protection -because of Brexit may include the UK- the most cost-effective (1) legal options available (2) are Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCR”).
By using the Standard Contractual Clauses, data controllers can export the data to recipients in third countries by agreeing and signing the SCCs; by using the BCR, the group of enterprises will be able to use their internal rules for international transfers of personal data within the same corporate group or business partners located in third countries with not an adequate level of protection.
Both mechanisms are subject to provide the supervisory authorities with enough proof that adequate safeguards are in place; and under any circumstance, the instruments are allowed to replace the data protection obligations bound by law.
There is no one-size-fits-all approach, the assessment of which mechanism is the best to enable the free data flow within an organization or between partnership companies shall be done in a case by case basis. Otherwise, a company can implement a mechanism that does not match its needs and can increase its costs without justification or not cover all its activities bringing substantial legal, operational and reputational risk.
(1) The Ad Hoc contractual clauses agreements and derogations are also available as an instrument for international transfers; however, both create a framework for a particular data flow, hence do not work for a large number of data flows for various purposes as necessary in a multinational or between business partners.
(2) It should be noted that the GDPR introduced the “approved codes of conduct” and the “certification mechanism” as new instruments for international transfers. However, the “approved codes of conduct” may be drafted by associations or other bodies representing the controllers or processors and must be submitted to the supervisory authority for approval; and the “certification mechanism” requires further action by the Data Protection Authority / European Data Protection Board; hence both instruments are not available yet. Plus, is also mandatory an additional binding and enforceable commitments of the recipient in the third country which guarantees the use of appropriate safeguard, particularly regarding data subjects’ rights.