View the PDF

The month of November has been accompanied by an interesting novelty in terms of Data Protection, in relation to international transfers of personal data. This information circular aims to address the requirements to carry out this type of transfers and analyze the new features introduced by the European Commission in this area.

“International transfer of personal data” means the sending of data from Spanish territory to recipients established in countries outside the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland and Norway).

In order to carry out this type of transfer, express authorization must be requested from the competent control authority (the “Agencia Española de Protección de Datos” in the case of Spain). However, it is possible to circumvent this obligation if the conditions set out in Chapter V of Regulation (EU) 2016/679 of April 27, 2016 (hereinafter also “GDPR”) are met.

The first condition that must be met in order to carry out an international transfer, without requiring any specific authorization, is that the recipient of the personal data must be in a country that the Commission has decided guarantees an adequate level of protection (article 45 GDPR). To this end, the Commission maintains a list of these countries[1] in the Official Journal of the European Union and on its website.

In the absence of a previous adequacy decision by the Commission, the processing of data should present one of the following guarantees (Article 46.2 GDPR):

  1. a legally binding instrument enforceable between public authorities or bodies;
  2. binding corporate rules (art. 47 GDPR);
  3. standard data protection clauses adopted by the Commission;
  4. standard data protection clauses adopted by a supervisory authority and approved by the Commission;
  5. code of conduct (approved in accordance with article 40 GDPR);
  6. a certification mechanism (approved in accordance with article 42 GDPR).

In the absence of a decision of adequacy by the Commission and the aforementioned guarantees, an international transfer of data may only be carried out if one of the conditions set forth in article 49 GDPR is met (e.g., that the data subject has explicitly consented to the transfer). Otherwise, express authorization must be requested from the “Agencia Española de Protección de Datos”.

The most recent development in the field of international data transfers is the publication, on November 12, of the European Commission’s Decision on standard contractual clauses for the transfer of personal data to third countries (draft version submitted for public consultation until December 10). The Decision provides for an Annex containing the contractual clauses to be included in data processing agreements involving international transfers, in order to comply with the guarantee of article 46.2 c) GDPR.

The publication of this Decision is motivated by the ruling of the European Court of Justice, of July 16, 2020, in case C-311/18 (Schrems II ruling), which has declared the Privacy Shield invalid for international data transfers to the USA (Decision 2016/1250). In this sense, the ruling of the European Court of Justice requires a review of the data processing agreements concluded between data exporters located in the EU and importers located in the United States, in order to ensure that they comply with the guarantees required by law at the European level.

Therefore, five months after the pronouncement of the European Court of Justice, the aforementioned draft Decision on standard contractual clauses for international transfers is published, in order to promote its use and, thus, guarantee the high level of protection required in Chapter V of Regulation (EU) 2016/679.

[1] Consult the following link to know the third countries recognized by the European Commission, up to now, as safe in the field of personal data protection: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en