Transfer to Third Countries - Law & Innovation

For many international companies, the transfer of data outside the European Union is of utmost importance. However, when this data is personal, European data protection laws require either an adequacy decision, such as the so-called US Privacy Shield, or “appropriate safeguards” (Art. 46 GDPR), both of which ensure an adequate level of protection outside the Union. Only on this basis can the controller transfer the data. In particular, data controllers located in countries where no adequacy decision exists (please find here the list of countries where there is such a decision), are frequently interested in tailoring the appropriate safeguards to their specific needs. In this regard, there are typically two conflicting needs that can play an important role: scalability regarding processing activities and the complexity of conflicting interests.

The need for scalability refers to a situation in which a company carries out many different processing activities. The broader the scope of an appropriate safeguard is, the more processing activities a company can build on such a safeguard. This means, this safeguard “scales”. However, a negative consequence can be an increased complexity of conflicting interests. Moreover, the broader the scope of an appropriate safeguard is, the more stakeholders are involved in the negotiation process. A prominent example is the US Privacy Shield, which covers all transfers of personal data to the United States and may not meet the constitutional requirements. For the period after the Brexit, the situation in the UK is even less clear. To reduce the complexity of interests, companies can therefore also resort to alternative safeguards, such as: Corporate Binding Rules applying to a group of companies; Codes of conduct covering a specific processing sector (e.g. insurance industry); or certificates referring to a single processing activity or bundle of activities that relate to a certain service or product category. Since each of these safeguards has another scope of application, they can all fit different needs for scalability and/or complexity.