Inter­na­tio­nal data trans­fers: opti­ons for companies

Whe­ther cus­to­mer and employee data or data rela­ting to third-party ser­vices on web­sites or Micro­soft 365, trans­fer­ring per­so­nal data to third coun­tries is stan­dard prac­ti­ce for many com­pa­nies. But in light of the “Schrems II” decisi­on by the Euro­pean Court of Jus­ti­ce (ECJ), tho­se enga­ging in this prac­ti­ce may face not only trou­ble from the aut­ho­ri­ties but also claims from data sub­jects see­king com­pen­sa­ti­on for non-material dama­ges. The fol­lowing is an over­view of the legal requi­re­ments and options.

What is a third-country transfer?

“Third coun­tries” are defi­ned as all coun­tries which are not mem­ber sta­tes of the Euro­pean Eco­no­mic Area (EEA). The EEA inclu­des all EU mem­ber sta­tes, as well as Nor­way, Ice­land and Liech­ten­stein. But the ques­ti­on of what con­sti­tu­tes a third-country trans­fer is hot­ly deba­ted and has yet to be ful­ly resol­ved, par­ti­cu­lar­ly in cases whe­re the data is not trans­fer­red direct­ly, but merely disclosed.

When is a third-country trans­fer permissible?

In each case whe­re per­so­nal data is trans­fer­red to third coun­tries, it must be ensu­red that data pro­tec­tion does not fall short of the level pre­scri­bed in the GDPR. In par­ti­cu­lar, the GDPR pro­vi­des for the fol­lowing options:

1. Ade­quacy decisions

The Euro­pean Com­mis­si­on can issue an ade­quacy decisi­on affir­ming that an ade­qua­te level of pro­tec­tion for per­so­nal data exists in a spe­ci­fic third coun­try. Such decisi­ons have been issued e.g. for the United King­dom, Cana­da, Switz­er­land, Japan, Isra­el and South Korea. A com­ple­te list can be found on the EU Commission’s web­site. An agree­ment bet­ween the US and EU is also being pre­pa­red, the Trans-Atlantic Data Pri­va­cy Frame­work, which is desi­gned to ser­ve as the basis for an ade­quacy decision.

2. Stan­dard con­trac­tu­al clauses

In cases whe­re no ade­quacy decisi­on exists, the con­trol­ler or pro­ces­sor is requi­red to pro­vi­de appro­pria­te safe­guards in order to ensu­re an ade­qua­te level of pro­tec­tion. Of par­ti­cu­lar impor­t­ance are the EU Commission’s stan­dard con­trac­tu­al clau­ses, which may be adop­ted by data importers and exporters. But com­pa­nies should keep in mind that the use of the­se clau­ses is not always suf­fi­ci­ent on its own. Data exporters need to exami­ne in each indi­vi­du­al case whe­ther the legal situa­ti­on and prac­ti­ces in the third coun­try are such as to ensu­re an ade­qua­te level of data pro­tec­tion or whe­ther addi­tio­nal mea­su­res  are requi­red, such as e.g. encryp­ti­on or anonymization.

3. Other options

Cor­po­ra­te groups in par­ti­cu­lar have the opti­on of adop­ting inter­nal rules gover­ning data pro­tec­tion, or “bin­ding cor­po­ra­te rules.” This opti­on accounts for the need of inter­na­tio­nal con­glo­me­ra­tes to have a sin­gle set of data pro­tec­tion rules, e.g. for the trans­fer of worker or employee data. The­re are also excep­ti­ons to the­se restric­tions, par­ti­cu­lar­ly if a trans­fer can be per­for­med based on the express con­sent of the data sub­ject. In the view of the super­vi­so­ry aut­ho­ri­ties, howe­ver, this would only come into con­si­de­ra­ti­on in excep­tio­nal cases.


Legal cer­tain­ty is lacking for com­pa­nies except in cases whe­re a data trans­fer to third coun­tries is valid­ly exclu­ded or whe­re an ade­quacy decisi­on exists. It is in the inte­rest of com­pa­nies which trans­fer per­so­nal data to third coun­tries without the bene­fit of an ade­quacy decisi­on to exami­ne whe­ther appro­pria­te safe­guards exist to ensu­re an ade­qua­te level of data pro­tec­tion. It may also be necessa­ry to clo­se­ly exami­ne the legal situa­ti­on and prac­ti­ces in the third country.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.