Conditions for transfer of personal data outside the EU
Under European law, it is important that the country to which the personal data are transferred, which is outside the EU, also known as a 'third country', can adequately protect the personal data. The transfer of the personal data to a third country must comply with the European regulations that have been established for this purpose. The European law contains three possibilities on the basis of which a transfer may take place. These are described in more detail below.
Adequacy Decision
On the basis of an adequacy decision, the transfer of personal data to a third country may take place if this special decision has been taken by the European Commission stating that this third country, a part of it, a certain sector in this country or an international organization ensures that there is an adequate level of protection of personal data.
In this decision, the European Commission should consider the following: the law that is complied with in that sector or area, including, inter alia, human rights, case law, professional rules and security measures, the existence of an effectively functioning independent body that supervises compliance with rules on the protection of personal data, and existing international obligations.
Transfer with appropriate safeguards
If no adequacy decision has been taken by the European Commission, it is still possible to transfer personal data. This is only possible if the controller or processor provides adequate safeguards and provided that enforceable rights concerning his or her personal data and remedies are available to the data subject. These appropriate safeguards may be provided without a specific authorisation from a supervisory authority, by means of a legally binding and enforceable instrument, binding corporate rules, standard data protection clauses adopted by the Commission or by a supervisory authority and approved by the Commission, approved rules of conduct or an approved certification mechanism.
Situation deviating from the adequacy decision or transfer with appropriate safeguards
Where neither an adequacy decision has been taken by the Commission nor a transfer with adequate safeguards has been or may be carried out, personal data may only be transferred to a third country if the data subject has explicitly consented to the transfer, the transfer is necessary for the performance of a contract on the basis of consent or in the interest of the data subject, the transfer is necessary in the public interest, it is necessary in connection with the establishment, exercise or defence of legal claims, in order to protect vital interests, or if the transfer is made from a register established on the basis of EU or one of the Member States' legislation in order to inform the public and this register can be consulted. In addition, such a transfer of personal data may only take place if it is not repetitive, only concerns a limited number of persons, is necessary in view of overriding legitimate interests, it is assessed whether appropriate measures are being or have been taken to protect the personal data and the supervisory authority is kept informed as well as the data subject itself.
Transfer of Personal Data to the United States
With respect to transfers of personal data to the United States, a specific adequacy decision applies. However, this adequacy decision, currently the 'Privacy Shield', has a long history and is currently under review.
Before the Privacy Shield came into effect, there was the 'Safe Harbor Agreement', which concerned a list of U.S. organizations that were considered to offer adequate protection of personal data and to handle this data securely. This Safe Harbor Agreement was declared null and void in 2015. Very important for declaring the Safe Harbor Agreement invalid was the fact that organizations could join this treaty by declaring themselves to offer an adequate level of protection of personal data.
After the Safe Harbor Agreement was declared invalid, the Privacy Shield came into effect. This is another adequacy decision that includes companies from the United States that can offer an adequate level of protection of personal data. Currently, the Privacy Shield is also being scrutinized and criticized. It is possible that the Privacy Shield will also be declared invalid.