< Back

Share |

EU Data Transfers: an introduction

January 2013

The EU Data Protection Directive 95/46/EC (the Directive) regulates the export of personal data outside of the EEA. The Directive states that there should be no transfers of personal data to countries outside the EEA unless the recipient country ensures 'adequate' protection for data subjects and their personal data.

Data controllers should be aware that the Directive provides for a minimum standard regarding the processing of personal data, which includes any export of the data. The Directive has been transposed into local legislation in each EU member state; in some jurisdictions this has been done through imposing further limitations or greater requirements, so the protection afforded to data subjects may "be enhanced" by such additional protection over and above the requirements of the Directive.

Data transfers outside the EEA typically include the following examples:

  • personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to a country outside the EEA;
  • IT systems or data feeds which lead to personal data Starsbeing stored on data-bases hosted outside the EEA;
  • people/entities outside the EEA being able to access or "see" personal data held in the EEA; and
  • the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.

In certain circumstances (dependent upon the type of personal data and the processing activity), the options to secure adequacy for the international transfer may fall within a statutory derogation. These are outlined below:

  • the data subject has given consent to the transfer;
  • the transfer is necessary for the performance of the contract between the data subject and data controller;
  • the transfer is necessary for the conclusion of the contract between the data subject and data controller;
  • the transfer is necessary or legally required due to important public interest grounds;
  • the transfer is necessary in connection with the exercise of the defence of legal proceedings/obtaining legal advice; and
  • the transfer is necessary to protect the vital interests of the data subject.

Whilst consent is often seen as the ‘master key’, a closer examination shows how impractical this can be in many scenarios. The consent must typically be informed, explicit, voluntary and ideally linked to an audit trail, for example, a signature or electronic click-through mechanism. This is especially the case if any sensitive personal data is involved.

Unfortunately, in some EU states consent from employees is not recommended as a viable solution because consent within an employment environment is often not believed to be voluntary. In any event, any consent (as it is voluntary) can be withdrawn at any time. Guidance has been produced by some national data protection authorities as to when consent can be relied upon for specific processing activities such as data transfers.

Key Solutions

Transfers of personal data outside of the EEA may be permitted Consent employeesin certain circumstances, for example, through one or more of the approved solutions to achieve the "adequate safeguard" requirement under the Directive. Broadly, this will ensure compliance with local data protection law in regard to data transfers, (subject to additional conditions also being met in some jurisdictions).

The permitted methods can be summarised as:

  • transfers to countries "deemed" to have adequate safeguards in place;
  • transfers to US companies that have self-certified under the "Safe Harbor framework";
  • transfers using the appropriate EU Commission-approved model transfer terms;
  • transfers subject to the use of binding corporate rules (BCRs);
  • transfers in accordance with an approved private contract; and
  • companies that have self-assessed their adequacy (in some jurisdictions).

It should be noted that transfers between countries in the EEA are automatically deemed sufficiently protected subject to compliance with the other seven data protection principles.

Territories deemed to have adequate safeguards in place

The European Commission has agreed that certain territories provide adequate safeguards for the purposes of the Directive. These are currently:

  • Andorra
  • Argentina
  • Canada
  • Guernsey
  • Isle of Man
  • Israel
  • Jersey
  • New Zealand
  • Switzerland
  • Faroe Islands
  • Uruguay

Transfers out of the EEA and into these territories will not breach the adequate safeguard requirement. The list of territories is clearly limited; however it does, in effect, create a larger European data transfer zone. The list may also be subject to change from time to time as new adequacy rulings are made by the European Commission.

See these represented on our Risk Map.

See our summary of adequacy solutions table.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

European Union
Vinod Bange


Sally Annereau

Sally Annereau

Lucy Lyons

Lucy Lyons

Vinod, Sally and Lucy review the current European data protection guide and analyse different solutions to data transfer problems.

"Transfers of personal data outside of the EEA may be permitted in certain circumstances, for example, through one or more of the approved solutions to achieve the 'adequate safeguard' requirement under the Directive."