Transferring Data Outside of the European Economic Area

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 103-125

103

tRAnsfeRRInG

DAtA oUtsIDe of

tHe eURopeAn

econoMIc AReA

Q.114 WHAt Is A “DAtA expoRteR”?

In the context of the GDPR a company is referred to as a “data exporter”

if it collects personal data within the European Union and sends that data

outside of the European Union.

Q.115 WHAt Is A “DAtA IMpoRteR”?

In the context of the GDPR a company is referred to as a “data importer”

if it is located outside of the European Union and receives personal data

that is being transmitted by a data exporter that is inside of the European

Union.

Q.116 ARe coMpAnIes ALLoWeD to tRAnsfeR

peRsonAL DAtA oUtsIDe of tHe

eURopeAn econoMIc AReA?

Companies are allowed to transfer personal data outside of the European

Economic Area provided they have put in place a mechanism that

imposes many of the substantive provisions found within the GDPR

upon the data once the data leaves the European Economic Area.

Alternatively, such measures are not required if the country to which

the data is being transferred has been recognized by the European Com-

mission as ensuring an adequate level of protection, pursuant to Article 45.

Canada, Israel, and Argentina, among others, have been recognized as

104 TH E EU GEnEral DaTa PrOTECTIOn rEGUlaTIOn (GDP r)104 TH E EU GEnEral DaTa PrOTECTIOn rEGUlaTIOn (GDP r)

ensuring adequate protection. It is expected that the United Kingdom,

after Brexit, will also be recognized as ensuring adequate protection

(although it is unclear how quickly such a decision will be rendered).

Existing mechanisms (“Safeguards”) which are recognized as impos-

ing a sufcient measure of the substantive provisions of the GDPR are:

• Standard data protection clauses. “Standard Contractual Clauses”

or “Model Contractual Clauses” refer to contractual clauses that

have been reviewed and approved by the European Commission.

There currently exist Standard Contractual Clauses designed to

facilitate the transfer of personal data from a controller within the

European Economic Area to a Controller outside of the European

Economic Area (i.e., controller-to-controller clauses), as well as

Standard Contractual Clauses designed to facilitate the transfer

of personal data from a controller within the European Economic

Area to a processor outside of the European Economic Area (i.e.,

controller-to-processor clauses);

• Binding Corporate Rules. Binding corporate rules (“BCRs”) refer

to a set of internal policies, procedures, and protocols that are

adopted between and among a group of interrelated entities (e.g., a

multinational corporation), are presented to a supervisory author-

ity, and are ultimately approved by that supervisory authority;

• Privacy Shield. Privacy Shield refers to an agreement entered into

between the U.S. Department of Commerce and the European

Commission under which a company can self-certify to the Depart-

ment of Commerce that it will abide by privacy principles that are

similar in nature to those contained within the GDPR.

The GDPR also provides for the potential development of two new

Safeguards:

• Codes of conduct that may be approved at a later date and to which

data importers may commit to adhere; or

• An approved certication mechanism providing for privacy stan-

dards to which data importers may adhere and commit.