Do you process personal data that someone outside the EU has access to? Do you use service providers outside the EU? Do you store personal data in a cloud service? The General Data Protection Regulation calls this 'transfer of personal data to a third country'. It is permitted in some cases but the rules are strict.
Why are special rules needed to transfer personal data outside the EU/EEA?
Under the General Data Protection Regulation all the member states of the European Union have uniform protection of personal data and personal privacy. This also applies in the EEA countries. Personal data can thus be transmitted freely within this area without any restrictions.
Outside the EU/EEA, on the other hand, there are no general rules that provide equivalent protection. The General Data Protection Regulation therefore contains rules concerning under what conditions it is permitted to transfer personal data to countries outside the EU/EEA.
When are transfers outside the EU/EEA permitted?
It is permitted to transfer personal data to countries outside the EU/EEA under certain conditions:
- There is a decision from the European Commission that, for example, a certain country outside the EU/EEA ensures an adequate level of protection.
- You have taken appropriate protection measures, for example Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC).
- Special situations and single cases.
What does 'transfer of data to a third country' mean?
Transfer of personal data to a third country is when personal data is made available to someone outside the EU/EEA.
N.B. Publishing something on the Internet does not constitute transfer of data to a third country if the website is stored with an Internet provider that is established inside the EU.
Examples of transferring personal data to a third country:
- When you send documents that contain personal data by e-mail to a person in a country outside the EU/EEA.
- When you use a data processor in a country outside the EU/EEA.
- When you give someone outside the EU/EEA access, for example reading rights, to personal data stored within the EU/EEA.
- When you store personal data in a cloud service that is based outside the EU/EEA.
- When you store personal data, for example on a server, in a country outside the EU/EEA.
How do we know if a third country has an adequate level of protection?
The European Commission can decide that a country has a sufficiently high level of protection and you may then transfer personal data there without any special licence. The General Data Protection Regulation calls this 'adequate level of protection'. It can also apply to a certain territory, an international organisation or one or several sectors in a third country.
When the European Commission takes decisions concerning an adequate level of protection, they look, among other things, at the country's laws and international undertakings, what possibilities the data subjects have for legal examination, and if the country respects human rights and fundamental freedoms. The European Commission also checks that there are independent supervisory authorities that are responsible for ensuring that the data protection rules are complied with and that can help the data subjects.
N.B. Unlike in the Personal Data Act, there is no longer scope for the data controller to itself decide whether an adequate level of protection exists or not. Only the European Commission can take such a decision.
Countries that have an adequate level of protection
The European Commission has decided that the level of protection in these countries is adequate, that is to say sufficiently high according to the General Data Protection Regulation:
- Bailiwick of Guernsey
- Faroe Islands
- Isle of Man
- New Zealand
The European Commission has also assessed that the level of protection is adequate in certain areas or under special conditions in the following countries:
- Canada, if their legislation for protection of personal data in the private sector is applicable to the recipient's personal data processing.
- The USA, if the recipient has joined a Privacy Shield Framework.
In the USA, Privacy Shield can be used to guarantee the level of protection
Privacy Shield is a mechanism for self-certification that exists in the USA. It allows organisations in the USA to notify the US Department of Commerce and report that they comply with the requirements laid down in Privacy Shield. Under a European Commission decision data controllers within the European Union are permitted to transfer personal data to recipients that have joined Privacy Shield.
Update July 2020 – Privacy Shield invalidated
The judgement in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield is no longer a valid way to transfer personal data outside the EEA.
The European Data Protection Board (EDPB) continues to examine and assess the judgement of the Court in order to provide further guidance.
How do we take appropriate protection measures?
Personal data may be transferred to a country outside the EU/EEA if you take appropriate protection measures:
- Binding Corporate Rules
- Standard Contractual Clauses that the European Commission has decided on
- approved codes of conduct or certification mechanisms
- legally binding instruments between authorities.
There must also be statutory rights and the possibility for the data subjects to complain about the personal data processing and have it examined by a court.
Binding Corporate Rules
Binding Corporate Rules (BCR) are rules that a group with companies in several different countries can draw up to define its processing of personal data. Binding Corporate Rules must be approved by the Swedish Data Protection Authority or another supervisory authority within the European Union.
The General Data Protection Regulation contains detailed provisions concerning what binding corporate rules are to contain and how the supervisory authority processes applications to have binding corporate rules approved. Before a supervisory authority approves binding corporate rules it must request an opinion from the European Data Protection Board, where all supervisory authorities within the EU/EEA are represented.
Standard Contractual Clauses (SCC) that the European Commission has decided on
The European Commission has approved certain standard contractual clauses that concern data protection. If you enter into a contract that contain these standard contractual clauses with someone outside the EU/EEA, it is permitted to transfer data to them. Note. however, that you are not allowed to make changes to the clauses. If necessary, you may add clauses concerning business-related matters but such clauses must not conflict with any standard contractual clause.
Standard contractual clauses contain obligations for both data controllers wishing to transfer personal data to counties outside the EU/EEA and data controllers or data processors who receive such data. The clauses also regulate other matters concerning the transfer, for example the data subjects' rights and how disputes arising from the contract are to be settled.
There are three alternatives to choose from as regards standard contractual clauses. All three have been approved by the European Commission. Two of them apply to transfers to other data controllers in countries outside the EU/EEA. The third applies to transfers of personal data to data processors in countries outside the EU/EEA.
Codes of conduct and certification mechanisms
If you subscribe to an approved code of conduct or certification mechanism, it may be permitted to transfer personal data to countries outside the EU/EEA. This applies provided that they involve legal, binding and enforceable obligations also for the recipient of the personal data.
Legally binding instruments between authorities
It is permitted to base a transfer of personal data to a country outside the EU/EEA on a legally binding and enforceable instrument if the transfer takes place between authorities. Such an instrument between authorities may be a memorandum of understanding or an exchange of information agreement within, for example, the tax area.
The Swedish Data Protection Authority issues special licences
You may also transfer personal data to a country outside the EU/EEA if you have been given a licence by the Swedish Data Protection Authority.
Such a licence can be issued if the transfer is based on contractual clauses between the entity transferring the personal data and the recipient of the data. Where transfers of personal data between authorities are concerned, a licence can also be issued if the transfer is based on regulations in administrative agreements that contain enforceable and tangible rights for the data subjects. Before the Swedish Data Protection Authority decides on a special licence, an opinion must be obtained from the European Data Protection Board, where all supervisory authorities within the EU/EEA are represented.
Special situations and single cases – but only in exceptional cases
In certain special cases it may be permitted to transfer personal data to a country outside the EU/EEA even if the country does not have an adequate level of protection and despite appropriate protection measures not having been taken. However, always first consider whether you really need to make the transfer. Are there other solutions? The requirements that entities wishing to transfer personal data are strict and you need to analyse the risks to the data subjects carefully.
Personal data may be transferred to a country outside the EU/EEA if
- the data subjects have explicitly consented to it after having been given information about the risks involved with transfers that take place when there is no decision on an adequate data protection level or appropriate protection measures
- it is necessary in order to perform a contract with the data subject or to, at the data subject's request, carry out measures before entering into such a contract
- it is necessary in order to enter into or perform a contract with someone other than the data subject if it is in the data subject's interest
- it is necessary for important reasons that concern the public interest, which is to be recognised in national law or EU law
- it is necessary in order to establish, exercise or defend legal claims
- it is necessary in order to be able to protect the data subject's or other person's fundamental interests, when the data subject is prevented (physically or legally) from giving their consent, or
- the transfer, subject to certain conditions, is made from a register that under national law or EU law is for the public's information.
Finally, a transfer of personal data to a country outside the EU/EEA is permitted if it
- takes place on only one single occasion,
- concerns a limited number of data subjects, and
- takes place after a weighing of interests.
When you make such a weighing of interests the transfer must be necessary for purposes that concern your compelling and legitimate interests and you must weigh these against the data subject's interests, rights and freedoms. If the data subject's interests weigh more heavily, you may not transfer the personal data. You must also make an assessment of all circumstances with regard to the transfer and then take appropriate measures to protect the personal data. You must inform both the Swedish Data Protection Authority and the data subjects of the transfer and of the compelling interests that you wish to achieve.