Frequently Asked Questions
International data transfers in front of the GDPR are transfers of data outside of the European Economic Area (EEA) and thus outside of the protection of the GDPR.
These type of transfers are restricted under the GDPR, no matter the size of the transfer or how often it occurs.
Transfers of data to the UK will after the Brexit also count as international data transfers, if the UK becomes a third country under the GDPR.
The UK will most likely become a third country after brexit. Therefore any transfer in and out of the UK has to be carefully considered. If data is being transferred outside of the UK, the transfer has to comply with UK data protection regulations. All data transfers from the EU into the UK have to comply with the GDPR. UK companies that are treating personal data from the EU and do not have a EU office, will need to appoint a European representative.
Transfers of data outside of the European Economic Area (EEA) are restricted under the GDPR. Personal data transfers in countries outside of Europe is only permitted in certain cases:
- Under an Adequacy Decision, which the EU and UK are currently negotiating. Between the EU and US exists an adequacy decision, the EU-US Privacy Shield, which allows private data transfers from the EU to US companies which are certified under the Privacy Shield.
- If contractual terms are ensuring an adequate level of protection, which have been approved by the European Commission. Or if a by the European Commission approved code of conduct is in place.
- International data transfers that are made under BCRs (Binding Corporate Rules) according to the procedure defined by the GDPR.
- There are some exemptions defined for non-reoccurring transfers as defined in Article 49, GDPR.