Cross Border Data Transfer Rules under GDPR

General Data Protection Regulation, which becomes law on 25 May 2018, is similar to the current Data Protection Directive in the way it refers to cross border transfer of data, but it is more explicit about the various protections that have to be in place in order for a business or organisation to transfer data to a third country.

What are the rules surrounding cross border data transfer?

The cross border transfer of data is permitted in certain situations;

  • Where the European Commission has decided that the country has rules in place which provide for an adequate level of data protection.
  • In certain circumstances where standard contractual clauses or binding corporate rules (BCRs) are in place.
  • Where there are certain additional circumstances which mean that a derogation is permitted.

Changes that have come with the GDPR

Two of the major changes between the Data Protection Directive and the GDPR are to do with BCRs and standard contractual clauses. The GDPR explicitly recognises the requirement for BCRs which means that any EU state which did not recognise them in the past now needs to. Previously, standard contractual clauses needed to be authorised by the relevent data protection authority (DPA). This is no longer the case under GDPR.

Which parts of the GDPR deal with cross border data transfer?

If you want to know more about the rules regarding cross border data transfer, you can take a look at the GDPR articles which govern them. These articles are:

  • Article 45 deals with the transfer of data based on a decision of adequacy.
  • Article 46 considers the use of other safeguards.
  • Article 47 deals with BCRs.
  • Article 49 refers to derogations.

It becomes obvious that there are several situations where data can be transferred cross border, but protections need to be in place in order for businesses or organisations to comply with the GDPR.