Visit fondia.com
The content concerns Finnish legislation.
 

Transfers of Personal Data Outside of EU/ETA

The transfer of personal data abroad means, for example, the technical transfer of data for storage on servers located in the territory of another country, but also if the data is accessed from another country. When transferring personal data abroad, attention should be paid to whether the transfer takes place in a Member State of the European Union or the European Economic Area or whether data is transferred outside of them to a third country (a country outside the EU/EEA).

For example, if a Finnish company has a subsidiary located in Singapore that has access to the group's shared HR system, this constitutes a transfer of data outside the EU/EEA. Access to data from a third country must therefore also be taken into account when assessing whether data is being "transferred" outside the EU/EEA.

Grounds for the transfer of personal data

As a rule, the transfer of data outside the EU/EEA areas is only permitted when a sufficient level of data protection can be ensured also in the destination country.

First of all, a transfer outside the EU/EEA may be permitted if the European Commission has assessed and decided that the destination country has an adequate level of data protection. Such adequacy decisions have been issued for countries such as Switzerland, Great Britain, Canada (for commercial organizations), Argentina, Japan and South Korea. If there is an adequacy decision, no other grounds for transfer are needed.

Transfers of personal data to the United States is currently permitted under the European Commission's adequacy decision of 10.7.2023, provided that the transferee organizations participating in the EU-US Data Privacy Framework.

If no adequacy decision has been issued for the destination country, other possible transfer grounds are listed in Chapter V of the GDPR. The most commonly used basis for transfer are the Standard Contractual Clauses (SCC) approved by the European Commission. The standard clauses may be used either between two controllers, between two processors or between a controller and a processor. In the case of a transfer based on standard clauses, both parties to the transfer agree to abide by the clauses in that transfer arrangement. The SCCs are divided into four different modules adapted to different transfer scenarios depending on the roles (controller/processor) of the data transferor and the recipient of the data.

In certain cases, binding corporate rules, approved codes of conduct or an approved certification mechanism together with binding and enforceable commitments may be used instead of the SCCs. Data transfers between public authorities and the public sector may also be subject to specific bilateral or multilateral mechanisms. However, all of the criteria above require prior regulatory approval before they can be used.

Whether data is transferred on the basis of an adequacy decision or a special basis for transfer, the controller transferring the data must always ensure that there is a legal basis for processing the transfer and that the recipient of the data has the right to process the personal data transferred.

Additional safeguards for data transfer

In addition, irrespective of the grounds used for the data transfer, the parties to the transfer (in particular, the data controller) must assess the need for additional safeguards for the transfer of data.

This type of assessment is called a Transfer Impact Assessment (TIA). The purpose of the assessment is to determine whether the grounds for the for transfer alone are sufficient to ensure data protection or whether, in addition to the grounds of transfer, technical, organisational or contractual measures are needed to strengthen the protection of personal data in the destination country. When assessing the adequacy of the grounds of transfer, special attention shall be paid to the legislation and actual practices of the authorities of the recipient country.

Transfers of personal data must be described in the privacy policy

Possible transfers of data outside the EU/EEA and the grounds for transfer used in them must be described in the privacy policy or privacy statement. For more information on privacy policies, see [Information Obligation of the Controller].