International data protection
We would be happy to advise you on the requirements for cross-border data flows and point out any legal pitfalls that may lurk here. This topic is naturally of great importance in times of increasingly global business relationships, supply chains, and corporate structures. The use of cloud computing providers, who could store the personal data of your employees or customers in data centers around the world without you being able to tell at first glance, plays a major role here
First Stage
The issue is not only a question of which country’s law applies or which supervisory authority is responsible, but also, and in particular, how the transfer of personal data to a so-called third country can be made permissible.
A third country is basically any country outside the EU or the EEA. Several requirements must be met for transfers to recipients in a third country:
The requirements of the GDPR that must be met for every transfer of personal data must also be complied with for transfers to recipients in a third country.
Second Stage
In addition, when transferring personal data to recipients in a third country, it must be ensured that an adequate level of data protection is guaranteed in the third country.
Depending on the third country and the recipients, different solutions may be considered for the “second stage,” such as:
- Adequacy decisions by the European Commission,
- Appropriate safeguards such as standard contractual clauses or binding corporate rules, as well as derogations under the GDPR for specific cases.
Whether the requirements are met in a specific case often depends on details:
- Does the legal situation in the third country require additional measures beyond the standard contractual clauses in order to achieve an adequate level of data protection?
- Is the transfer to a recipient in the US covered by their EU-U.S. Data Privacy Framework certification?
