Leiderdorp - The Netherlands

Touwbaan 38

2352 CZ  Leiderdorp

 

+31 (0) 6 103 82 833 

Ghent - Belgium (Flanders)

Rijvisschestraat 124
9052 Zwijnaarde

+32 (0) 9 298 20 00

La Hulpe - Belgium (Wallonia)

Chaussée de Bruxelles 135 A
1310 La Hulpe

 

+32 (0) 9 298 20 00

© 2020 by pi.  Proudly created by pi life sciences.

privacy policy  |  sitemap

  • Black LinkedIn Icon
  • Nick Veringmeier

General Data Protection Regulation (GDPR) - Cross-Border Data Transfers

Updated: Apr 9, 2019

The General Data Protection Regulation Impacts all health data processing companies because of the growing importance of customer and patient data to the manufacturer’s business. All companies have to be compliant by 25th May 2018.

This blog gives an overview of all the possibilities included in the GDPR to allow Cross-Border Data Transfers to third countries.


1. GDPR – General


Update of the 1995 Data Protection Directive concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data :

  • Impacts all health data processing companies because of the growing importance of customer and patient data to the manufacturer’s business

  • Most new rules and regulations do not allow grandfathering

  • Member States will have the opportunity to maintain or introduce further conditions with regard to the processing of genetic data, biometric data and data concerning health

  • All companies have to be compliant by 25th May 2018


2. Adequate Jurisdictions


Data Transfer to Adequate Jurisdictions

Cross-Border Data Transfers are allowed when the transfer is being made to an Adequate Jurisdiction. This implies that the third country has received an Adequacy Decision from the European Commission.

  • The Adequacy Decision is influenced by:

  • Legal protections for human rights and fundamental freedoms

  • Rule of law

  • Access of public authorities to transferred data

  • The existence of Data Protections Authorities and their functioning

  • Other international commitments and obligations regarding the protection of personal data

Review of Adequacy Decision

Adequacy Decisions are subject to regular review by the European Commission:

  • Adequacy Decisions are periodically reviewed, at least every four years

  • Following the review, the status of Adequate Jurisdiction can be repealed, amended or suspended by the European Commission

  • Any change made to the Adequacy Decision following a review is not implemented retro-actively


3. Allowed Safeguards


In the absence of an Adequate Decision, a number of safeguards are allowed as a basis for Cross-Border Data Transfers:

  • Agreements between Public Authorities

  • Binding Corporate Rules • Model Clauses

  • DPA Clauses

  • Codes of Conduct

  • Certification Allowed safeguards

Agreements between Public Authorities

Cross-Border Data Transfers are allowed between public authorities:

  • Based on legally binding and enforceable agreements between these public authorities

  • Does not require any specific Data Protection Authority (DPA) authorisation

  • The public authorities ensure that the agreement is compliant with all GDPR requirements

Binding Corporate Rules

In accordance with Article 47, Cross-Border Data Transfers are allowed based on Binding Corporate Rules (BCR):

  • The Binding Corporate Rules requires the approval by the competent DPA

  • Following the approval, no further DPA approval is necessary for personal data transfers made under the BCR

Model Clauses & DPA Clauses

  • Model Clauses are standard data protection clauses, as approved by the European Commission. DPA Clauses are the national alternatives to these Model Clauses.

  • In both cases, any further DPA authorisation is not required.


Codes of Conduct

Cross-Border Data Transfers can take place on the basis of an approved Code of Conduct, including binding and enforceable commitments of the controller or processor in the third country.


Transfers made on this basis do not require DPA approval. The Code of Conduct itself however does require a DPA approval.


Certification

Cross-Border Data Transfers can take place on the basis of a DPA-approved Certification, together with binding and enforceable commitments of the controller or processor to apply all appropriate safeguards. Transfers made on this basis do not require DPA approval. The Certification itself however does require a DPA approval.


4. Derogations

Next to transfer to Adequate Jurisdiction or under the allowed Safeguards, a number of exceptions from the GDPR on the transfer of personal data outside the EU without adequate protections are possible:

  • Specific situations related to the Data Subject

  • Public Interest

  • Legal Claims

  • Public Register

  • Compelling Legitimate Interests

  • Administrative Arrangements

  • Third Country Judgement and Decisions Possible Derogations


Specific situations related to the Data Subject

Cross-Border Data Transfer is possible whenever:

  • The Data Subject has given explicit consent, after having been clearly informed of all risks related to such a transfer.

  • The transfer is necessary for the performance of a contract between data subject and data controller or the implementation of pre-contractual measures taken in response to the data subject’s request.

  • The transfer is necessary for the performance or conclusion of a contract between data controller and a third party, provided the transfer is in the interest of the data subject.

  • The transfer is necessary in order to protect the data subject’s or other persons’ vital interests, provided the data subject is physically or legally incapable of giving consent.


Public Interest

Cross-Border Data Transfer is possible when the transfer is necessary for important reasons of public interest.


The cited reasons of public interest need to be recognised in the European Union’s law or in the law of the Member Stats to which the data controller is subject.


Legal Claims

The transfer is necessary for the establishment, exercise or defence of legal claims.


Public Register

Cross-Border Data Transfer is allowed when the transferred data are taken from:

  • From a register which is open to the public

  • Or a register that is, upon request, open to any person who can demonstrate a legitimate interest in inspecting it.

However, this derogation does not permit the Cross-Border Data Transfer of the entire register.


Administrative Arrangements

Cross-Border Data Transfer is possible on the basis of administrative arrangements between different public authorities, provided that the data subject’s rights are adequately protected.


These transfers require approval from the relevant DPA.


Third country judgements and decisions

A judgment from a third country, requiring a Cross-Border Data Transfer, only provides a lawful basis for such a transfer if the transfer is based on an appropriate international agreement, such as a Mutual Legal Assistance Treaty.


These transfers require approval from the relevant DPA.


Compelling legitimate interests

The final possible derogation allows for great flexibility but also requires a strict and detailed internal documentation. If a Data Transfer is not possible based on any of the derogations above, a transfer to a third country or international organisation is possible for the purpose of compelling legitimate interests if:

  • The transfer is not repetitive

  • It concerns a limited number of data subjects

  • Suitable safeguards are put in place for the personal data

  • The cited legitimate interests do not override the interests or rights and freedoms of the data subjects concerned

  • Both the relevant DPAs and the data subjects are informed about the transfer