Transfers to third countries

Controllers and processors must comply with the conditions set out in the Applied GDPR to ensure that the level of protection guaranteed is not undermined. Transfers must not take place unless they are in full compliance with the Applied GDPR.

The controller or processor must document the safeguards put in place as part of the accountability requirements.

The conditions for transfers

Transfers with an adequacy decision

Transfers to countries or international organisations with an adequacy decision from the EU do not require specific authorisation by a supervisory authority. 

The existing adequacy decisions, including that of the Isle of Man, will remain valid until they are amended, replaced or repealed by the EU Commission. A review of the existing decision is anticipated shortly after the GDPR becomes enforceable at which time the adequacy of compliance with the GDPR (not the old Directive) will be assessed. This timescale is supported by the Opinion of Article 29 Data Protection Working Party on the adequacy of the protection for personal data in the proposed EU-US Privacy Shield.

However, as a result of the Schrems judgment in October 2015, controllers or processors transferring personal data to an existing adequate third country must still consider whether, in their view, the third country does, in fact, provide an appropriate level of protection for the particular data transfer.   

Transfers by way of appropriate safeguards

Where no adequacy decision has been made transfers can be made only if the controller or processor has “adduced appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.

Specific authorisation by a supervisory authority is not required if appropriate safeguards are met.  Such safeguards must include compliance with the general principles of data protection and the principles of data protection by design and by default.

The following safeguards are specified:

Adoption of the Commission’s standard data protection clauses (or those of an EU supervisory authority approved by the Commission)

The European Commission has approved two sets of standard data protection clauses which can be inserted into a contract and can offer sufficient safeguards on data protection for the data to be transferred internationally. These clauses can be found at:

New standard clauses are yet to be created.

Transfers by way of binding corporate rules

Binding corporate rules (BCRs) can be approved by EU supervisory authorities (but not by the Information Commissioner).  Details about the specifications and requirements of BCRs are set out in Article 43 of the EU GDPR.

Specific circumstances

If the transfer does not meet any of the conditions it can still take place if one of the following circumstances applies (* not applicable to public authorities in exercise of their public powers):

Is necessary

In any other case* a transfer can only take place if it:

The controller must document the assessment undertaken as well as the safeguards implemented in the records of processing activities as part of the accountability obligations and provide details about the transfer and the compelling legitimate interests to the data subject and the supervisory authority. 

Transfers or disclosures ordered by a third country

Any judgment of a court, tribunal or administrative authority of a third country ordering a disclosure or transfer of personal data to that third country may only be recognised or enforceable if there is an international agreement (for example a legal assistance treaty) in place between the third country and the European Union (including the Isle of Man) or Member State.