A data transfer occurs when personal data leaves the EU or is being made available outside the EU.
You may have heard that data going to the US is a problem. Schrems II is also a word used by many and if you are a B2B SaaS company, customers and prospects might ask “can you give us information about your data transfers”.
So the term “transfer” or “data transfers” is often used when talking about privacy and data protection. In this post, we will try to explain what a data transfer is and why it’s an important word when it comes to the GDPR.
The GDPR consists of rights and obligations that apply to all people and companies that handle personal data inside the EU (including Norway, Iceland and Liechtenstein). If the personal data ever leaves the EU, the level of data protection will, in many cases, be lower. Therefore, the GDPR has special rules on data transfers.
Because the EU wants to ensure that the data is still protected, safeguarded and processed in the same way as done in the EU.
Unfortunately, the GDPR doesn’t provide much guidance or definitions related to a transfer.
Art. 44 of the GDPR states that a transfer of personal data outside the EU can only take place only if the same level of protection is provided.
So let's take a look at some of the important things to know about data transfers.
A transfer can occur when you share, add, upload, host, access, or send personal data outside Europe. In other words, a data transfer happens when personal data leaves the EU or is being made available outside the EU.
A company has developed an app. The company wants a cloud provider to host its app. They use the hosting service from AWS located in the United States. Here is a data transfer as the personal data in the app is stored on a server from AWS Inc., and the personal data physically leaves Europe.
A payroll provider has outsourced their IT support to a Ukrainian company. The Ukrainian employees cannot change or edit any information. They can view personal data only, and the data does not physically leave Europe. Here is a data transfer as the personal data is made available for the Ukrainian company to access.
A software company has a website where customers can sign up for newsletters and marketing. The company uses the Mailchimp service located in the US to send out these emails. Data is transferred, as the software company shares the email addresses of its customers with Mailchimp.
A hairdresser uses Google Analytics to monitor visitors and traffic on his website. Here is a transfer as personal data of the website visitors is sent to Google Inc.
In the GDPR, for a transfer to happen, there must be a company disclosing the data and a different company receiving or being given access to the data.
If personal data is accessed by employees on business trips or by remote workers within the same company there is no transfer happening.
An IT company sends their employee to Tokyo for a meeting. During his stay, the employee remotely accesses personal data. This remote access of personal data does not qualify as a transfer, as the transfer happens within the same company.
An HR company has employed a remote employee, working from her home in Turkey. Even though the employee has remote access to personal data, there is no transfer as the employee is part of the company that sends the data outside the EU.
It is important to remember that the GDPR still applies to the workers located outside the EU; this means that you should still be aware of having proper security in place, having an employee privacy notice, etc.
Entities within the same corporate group, such as subsidiaries or affiliates, are their own legal entities. Exchanging personal data between two different legal entities will always be regarded as a data transfer.
Great! You now know where your company is transferring personal data. The next step is to get the proper legal basis in place between you and the vendors you’re sharing data with outside the EU.
The legal basis can be:
SCCs are standard contractual terms from the EU that you and your vendor must accept. The SCCs contain obligations on you and your vendor and says that you both must comply with the GDPR. SCC’s can be a stand-alone legal contract or incorporated into your Data Processing Agreement.
BCR are policies that companies established in Europe can incorporate and apply to their entire company group. If the company group has an approved BCR, the group is seen as having proper data protection safeguards in place, and data can be transferred within the group across countries.
The EU has recognized Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, UK, and South Korea as being “secure countries” so you can transfer data to these countries without applying further safeguards.
No longer valid. If your vendor mentions using “Privacy Shield” as a legal basis, it’s not sufficient, as this agreement was declared void by the European Court of Justice.
Learn more about Privacy Hub →