A guide to the new General Data Protection Regulation (GDPR) – Part 4 of 5
International Data Transfers
The current system has effectively been carried across from the Directive, albeit with some improvements.
This means that any personal data should not be transferred outside of the EEA unless there are appropriate safeguards in place. These might include using an approved mechanism for any proposed data transfer such as DPA approved contracts or making sure that the destination jurisdiction is deemed safe by the European Commission.
It should be noted that the Regulations remove self-assessment as a valid mechanism for transfer. Additionally data exporters relying on consent to move data outside the EU will now have to be certain that any data subjects have been informed of the potential risks of the transfer.
The GDPR however does provide that a transfer can take place provided it is in the legitimate interest of the data controller, it is not repetitive and it only affects a small number of data subjects. Additionally, the controller must assess the transfer and deem that it has legitimate ‘compelling’ interests that are not outweighed by the interests of the rights of the data subject.
Binding Corporate Rules (BCRs)
For the first time, the GDPR provides recognition to the role of BCRs. BCRs are a set of legally binding corporate rules approved by a data protection authority that allows groups of companies to make intra-organisational transfers of personal data (including to offices based outside of the EEA).
The GDPR requires national data protection authorities to recognise BCRs approved by any other authority provided that they are:
- legally binding and enforced by each member of the group;
- legally binding on employees of the corporate group; and
- give enforceable rights to data subjects.
It is likely that the use of BCRs will increase as a result of the GDPR.
The GDPR also introduces the concept of a ‘one-stop-shop’. Businesses which are established in multiple EU states will be able to nominate a single national data protection authority to act as the lead regulator for all of that organisation’s data protection compliance issues in the EU.
This should limit the administrative burden for organisations based in multiple countries, which otherwise would have had to interact with a different DPA in each member state they operate in.