KPMG Law LLP logo

14 February 2024

A stated aim of the GDPR is the free flow of personal data between Member States. The transfer of personal data to countries outside the EEA however requires special consideration. Our Data Protection and Privacy team explain these considerations below.

In essence, in Europe you cannot send individuals’ personal data outside of the EEA – it’s prohibited, unless you can satisfy one of the exceptions to this general rule.

Transfers outside the EEA require:

  1. An adequacy decision to be in place in the country the personal data is being transferred to; or
  2. Appropriate safeguards must be in place to secure the transfer of personal data; or
  3. Reliance on a derogation, as set out in the GDPR.

Trust is key when it comes to data transfers internationally. Remember that privacy and data protection are fundamental rights, which stem from human rights, and therefore the rights of EU data subjects should flow where their data goes.

Organisations must map where personal data goes, and if it leaves the EEA, then your organisation must illustrate where the personal data travels to and ensure that the correct transfer mechanism is in place to safeguard the individuals’ rights.

Let’s talk a little bit more about adequacy

Adequacy decisions are formal decisions made by the EU which recognise that another country, or territory, provides an equivalent level of protection for personal data as the EU.

These decisions are based on an investigation on the part of the European Commission (the “Commission”). The Commission will consider the rule of law, respect for human rights, local legislation, access of public authorities to personal data and many other such investigations1. Once a country is granted adequacy, it is subject to review every 4 years.

What is the situation with transfers of personal data to the USA?

The past few years have seen some turbulence with transferring personal data to the USA.

The Data Privacy Framework (the “DPF”) is now in place, and the question on everyone’s mind is whether we can expect a challenge to the DPF in 2024? While it is possible, there is optimism that the DPF has adequately addressed the concerns raised in the decisions that lead to the striking down of Safe Harbour and the Privacy Shield.

It’s also a positive step that the USA implemented changes to its national security laws to better align with the EU requirements for surveillance on the processing of EU citizens’ personal data. The view for now is that the DPF is a stable mechanism for transfers while taking into account the concerns of the CJEU in the Schrems II ruling.

What are the appropriate safeguards?

If there is no adequacy decision, then ‘appropriate safeguards’ may be used to legally transfer personal data internationally.

Appropriate safeguards are legal tools designed to ensure recipients of personal data outside the EEA process and protect personal data to the same standard as Europe. All the safeguards require prior approval from a supervisory authority.

Helpfully the GDPR sets out a list of appropriate safeguards that a data controller or data processor may rely on. We set out below details for two of the appropriate safeguards:

  1. Binding Corporate Rules (BCRs) allow a large multinational company to adopt a policy suite with rules for handling personal data that are binding on the company. Once a competent supervisory authority signs off on the rules, then the company is free to transfer personal data around the world within their organisation.
  2. Standard Contractual Clauses (SCCs) are model data transfer terms expressly approved by the European Commission, which are non-negotiable, and which are designed to help controllers and processors transfer personal data outside the EEA lawfully. In our experience, SCCs are the most commonly used appropriate safeguard.

As mentioned at the outset, there is the option to rely on a derogation or a restriction when it comes to the transfer of personal data internationally. However, these transfer mechanisms are seen as a last resort where there is no adequacy decision and there are no appropriate safeguards in place.

Predictions for this year

We will see a review of the DPF; which will be interesting to keep an eye on to see how it is settling in and working in practice.

We have already seen a recent review of 11 adequacy decisions which were decided prior to the introduction of the GDPR, and you can read our analysis here. Further, there may be a new adequacy decision for Brazil, depending on how talks progress.

There is lots to watch out for in the sphere of international data transfers. Stay in touch with us as we continue to highlight any changes in this area.

Contact the team

Emma Ritchie

Emma Ritchie

Head of Data Protection & Privacy


For a list of countries that the Commission has recognised as providing adequate protection, see the Commission website here.