GDPR International Transfer: What You Need to Know

You might be surprised to learn the concept of data transfer predates the earliest computers. According to Dr. Carl Rebman at the University of San Diego, data communications are defined as “any process that permits the passage from a sender to one or more receiver of information of any nature, delivered in any easy-to-use form by any electromagnetic system.”

Technically, this began in 1837 with Samuel Morse’s telegraph system. Then came phones, radios, television, satellites, fax machines, computers, and the internet. We’ve been effectively transferring data via electronic means for almost two centuries.

With the volume and sensitivity of today’s data transfer, the EU is addressing the need to restrict and protect the data transfer of its citizens to countries and organizations outside of the EU. Here’s what you need to know:

What Is It?
The GDPR (General Data Protection Regulation) outlines principles to guide organizations through digital interactions relative to data subjects and their personal data, and the regulation places restrictions on transferring personal data outside the EU. Data must be transferred within the conditions set in Chapter V of the GDPR.

While it is extremely important to move data freely to wherever it is needed, the transfer of data outside the EU is generally prohibited unless the following conditions apply:

  • An adequate protection level exists where the recipient operates
  • An exemption or derogation is applicable, or
  • The exporting agency applies appropriate safeguards.

What Are the Safeguards?
Organizations must provide personal data safeguards through the following:

  • Legally binding agreements
  • Binding corporate rules
  • Commission-adopted or approved data protection clauses
  • Compliance with an approved code of conduct
  • A GDPR-approved certification
  • Authorized contractual clauses or authorized administrative provisions between public agencies.

Are There Any Exceptions?
The short answer, yes—under specific conditions. Data transfers are allowed outside EU mandates under the following (the first two are not available for public authorities exercising their public powers):

  • With individual’s informed consent
  • For contractual performance (or pre-contractual steps) at individual’s request
  • For important reasons of public interest
  • For the establishment, exercise, or defense of legal claims
  • For the protection of individuals physically or legally incapable of giving consent
  • For UK or EU registries intended to provide information to the public

So regardless of data transfer method—telegraph, telephone, or satellite provided wireless capability—you must comply with GDPR mandates regarding international transfer.

We’re in the home stretch prior to GDPR enforcement. Know the rules surrounding international data transfer. Get smart, get compliant, and stay informed.

If you have additional questions regarding GDPR implementation and compliance, FileFacets can help you discover the answers for your organization. With years of experience in information governance, FileFacets provides the tools for acquiring data, and identifying and processing personal data from multiple sources.