For multinational employers, it is almost inevitable to transfer personal data to so called third countries meaning countries outside the European Economic Area. In many cases, the company group may have members resident in non-EEA countries who need to process personal data of EU-resident employees or a third party residing outside the EEA may provide a service to the company group that involves processing of personal data. In this article we deal with the question of how such personal data transfers to third countries may be made GDPR compliant.

Smartlegal Schmidt&Partners reports from Hungary:

1.What are “safe” countries?

The European Commission has the power to determine whether a country outside the European Economic Area offers an adequate level of data protection.

The effect of such decision is that personal data can flow from the European Economic Area to that third country without any additional security measures.

2. What about data transfer to the United States?

In the recent years it is not easy to decide whether the United States (or specific organisations located in the United States) can be regarded as a safe country.

When the GDPR entered into force, the so-called EU-U.S. Privacy Shield existed, based on which U.S. companies could self-certify themselves meaning that the adequate level of data protection for personal data transferred to those companies was provided. However, in July 2020 the Court of Justice of the European Union invalidated the EU-US Privacy Shield, stating that U.S. laws offer limited protection to EU data subjects and do not grant actionable right before the courts.

Following the CJEU’s decision, the U.S. lawmaker revised and amended the relevant legislation, and the European Commission adopted the EU-U.S. Data Privacy Framework. This means that according to the Commission the United States ensures an adequate level of protection for personal data transferred from the EEA to companies participating in the Framework.

3. Binding corporate rules

Multinational employers may rely on so called binding corporate rules (BCR) in order to facilitate data transfers from EU based subsidiaries to members of the company group that are based in countries outside the EU.

The BCR must be legally binding and applicable to every member of the company group. They shall specify among others the data transfers and must include the general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers.

The binding corporate rules shall be approved by the competent supervisory authority based on the opinion of the European Data Protection Board.

4. Standard contractual clauses

Standard contractual clauses (SCC) approved by the Commission may also be used as a ground for data transfers from EU-based members to third country-based members of the company group or to other entities located outside the EEA (e.g. an outsourced service provider).

The SCC currently in force may be tailored to the needs of the company group as they can be applied to the following data transfers:

  • transfers between controllers
  • transfers from a controller to processor
  • transfers between processors
  • transfers from processor to controller.

5. Other transfer methods

In exceptional cases, multinational employers may rely on the derogations provided by the GDPR in relation to data transfers. Such exception may by the explicit consent of the data subject which should be treated with caution in case of employees.

The European Data Protection however emphasized that controllers may only rely on derogations in case of occasional and non-repetitive transfers that involve data related to only a limited number of individuals.

To sum up the above, non-EEA data transfers require special attention and well-planned strategy especially in case of multinational employers who may transmit a large amount of personal data to third countries on a regular basis.

Written by Anita Vereb

SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at smartlegal.hu