OneTrust GDPR Deep Dive Series Chapter 5: Transfers of Personal Data to Third Countries or International Organisations

Chapter 5 is brief but important. It discusses restrictions of personal data transfer to countries outside the European Economic Area (EEA) and to international organisations.

Despite little difference from the Directive, this chapter discusses terms that are key to helping organisations understand how EU data protection law applies to them, e.g. what constitutes personal data, and how will the transfer of this information affect their business.

Congruent with the laws outlined in the Directive, data does not need to be physically transported to be transferred, and the GDPR considers viewing data that is hosted in another location, a transfer.

Multi-national companies are particularly exposed, as they are frequently moving data outside the boundaries of the organisation to international third-party providers (e.g. banks, insurance providers, staffing firms, etc.)

Most companies transfer data via email, which does not require encryption or password protection. This exchange of information should ideally take place through a portal or document storage system, but rarely does due to inconvenience.

GDPR will ensure that organisations take extra steps toward encrypting data transfers, as outlined in Article 46, which states that personal data can be transferred to a third country or international organisation “only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”

Organisations preparing for GDPR should inform relevant decision makers about the revised definitions to ensure compliance of documents, procedures, and policies. In particular, those having to do with HR, IT, or any policies that might affect individual customers.

Chapter 5 Articles & Descriptions
Article 44: General principle for transfers
Article 45: Transfers on the basis of an adequacy decision
Article 46: Transfers subject to appropriate safeguards
Article 47: Binding corporate rules
Article 48: Transfers or disclosures not authorised by Union law
Article 49: Derogations for specific situations
Article 50: International cooperation for the protection of personal data
Recitals: 101-116

GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent. The GDPR Deep Dive Series delves into each chapter of the GDPR to summarize key takeaways of the new governance in an easy-to-digest format. It is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.