Inter­na­tio­nal data trans­fers: opti­ons for companies

Whe­ther cus­to­mer and employee data or data rela­ting to third-party ser­vices on web­sites or Micro­soft 365, trans­fer­ring per­so­nal data to third count­ries is stan­dard prac­ti­ce for many com­pa­nies. But in light of the “Schrems II” decis­i­on by the Euro­pean Court of Jus­ti­ce (ECJ), tho­se enga­ging in this prac­ti­ce may face not only trou­ble from the aut­ho­ri­ties but also claims from data sub­jects see­king com­pen­sa­ti­on for non-material dama­ges. The fol­lo­wing is an over­view of the legal requi­re­ments and options.

What is a third-country transfer?

“Third count­ries” are defi­ned as all count­ries which are not mem­ber sta­tes of the Euro­pean Eco­no­mic Area (EEA). The EEA includes all EU mem­ber sta­tes, as well as Nor­way, Ice­land and Liech­ten­stein. But the ques­ti­on of what con­sti­tu­tes a third-country trans­fer is hot­ly deba­ted and has yet to be ful­ly resol­ved, par­ti­cu­lar­ly in cases whe­re the data is not trans­fer­red direct­ly, but mere­ly disclosed.

When is a third-country trans­fer permissible?

In each case whe­re per­so­nal data is trans­fer­red to third count­ries, it must be ensu­red that data pro­tec­tion does not fall short of the level pre­scri­bed in the GDPR. In par­ti­cu­lar, the GDPR pro­vi­des for the fol­lo­wing options:

1. Ade­quacy decisions

The Euro­pean Com­mis­si­on can issue an ade­quacy decis­i­on affir­ming that an ade­qua­te level of pro­tec­tion for per­so­nal data exists in a spe­ci­fic third coun­try. Such decis­i­ons have been issued e.g. for the United King­dom, Cana­da, Switz­er­land, Japan, Isra­el and South Korea. A com­ple­te list can be found on the EU Commission’s web­site. An agree­ment bet­ween the US and EU is also being pre­pared, the Trans-Atlantic Data Pri­va­cy Frame­work, which is desi­gned to ser­ve as the basis for an ade­quacy decision.

2. Stan­dard con­trac­tu­al clauses

In cases whe­re no ade­quacy decis­i­on exists, the con­trol­ler or pro­ces­sor is requi­red to pro­vi­de appro­pria­te safe­guards in order to ensu­re an ade­qua­te level of pro­tec­tion. Of par­ti­cu­lar importance are the EU Commission’s stan­dard con­trac­tu­al clau­ses, which may be adopted by data importers and export­ers. But com­pa­nies should keep in mind that the use of the­se clau­ses is not always suf­fi­ci­ent on its own. Data export­ers need to exami­ne in each indi­vi­du­al case whe­ther the legal situa­ti­on and prac­ti­ces in the third coun­try are such as to ensu­re an ade­qua­te level of data pro­tec­tion or whe­ther addi­tio­nal mea­su­res  are requi­red, such as e.g. encryp­ti­on or anonymization.

3. Other options

Cor­po­ra­te groups in par­ti­cu­lar have the opti­on of adop­ting inter­nal rules gover­ning data pro­tec­tion, or “bin­ding cor­po­ra­te rules.” This opti­on accounts for the need of inter­na­tio­nal con­glo­me­ra­tes to have a sin­gle set of data pro­tec­tion rules, e.g. for the trans­fer of worker or employee data. The­re are also excep­ti­ons to the­se rest­ric­tions, par­ti­cu­lar­ly if a trans­fer can be per­for­med based on the express con­sent of the data sub­ject. In the view of the super­vi­so­ry aut­ho­ri­ties, howe­ver, this would only come into con­side­ra­ti­on in excep­tio­nal cases.


Legal cer­tain­ty is lack­ing for com­pa­nies except in cases whe­re a data trans­fer to third count­ries is valid­ly excluded or whe­re an ade­quacy decis­i­on exists. It is in the inte­rest of com­pa­nies which trans­fer per­so­nal data to third count­ries wit­hout the bene­fit of an ade­quacy decis­i­on to exami­ne whe­ther appro­pria­te safe­guards exist to ensu­re an ade­qua­te level of data pro­tec­tion. It may also be neces­sa­ry to clo­se­ly exami­ne the legal situa­ti­on and prac­ti­ces in the third country.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.