How-to guide: How to transfer personal data lawfully outside the European Economic Area (EU)

Updated as of: 02 March 2025

Related contract templates:

Data Protection Impact Assessment (DPIA) Checklist (GDPR) EU Standard Contractual Clauses (Controller to Controller) (GDPR) Compliance Audit Questionnaire (GDPR) View all

Introduction

This guide will inform in-house counsel and private practitioners about how to lawfully transfer personal data outside the European Economic Area (EEA), as well as assist them when advising internal or external clients about such issues. 

This guide is EU-focused and reflects the requirements of Regulation (EU) 2016/679 – General Data Protection Regulation (EU GDPR) and also covers:

  • general requirements under the EU GDPR; and
  • the European Data Protection Board (EDPB) and, where relevant, EU member state’ supervisory authorities’ interpretation of such EU GDPR requirements.

In this guide, repeated references are made to the ‘EU GDPR’. Such references do not extend to any local European Economic Area (EEA) data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators.

In this guide, repeated references are also made to the ‘EEA’ since the EU GDPR applies to not only all 27 member states of the European Union, but also to all member countries of the EEA. The EEA is an area larger than the EU and includes Iceland, Norway and Liechtenstein. 

The legal basis for the applicability and enforceability of the EU GDPR in the EEA is based on an international agreement known as the Agreement on the EEA made in 1992 that brought EU member states and Iceland, Norway and Liechtenstein into a single market. The purpose of the agreement is to strengthen trade and economic relations among the countries by removing trade barriers and imposing equal conditions of competition and compliance with the same rules. The EU GDPR was among a number of EU legal acts incorporated into the EEA Agreement by the EEA Joint Committee during July 2018. When the national legislation in EEA countries were subsequently amended to incorporate the EU GDPR, the law became applicable throughout the EEA. As a result, for international personal data transfers subject to the EU GDPR, it is more appropriate to consider the compliance requirements for the EEA rather than just the EU.

This guide covers the following:

  1. What is a (restricted) transfer of personal data?
  2. How to transfer personal data lawfully outside the EEA
  3. Failure to comply with data transfer requirements
  4. How to approach a data transfer project

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, ‘international organisation’, ‘third country’, ‘EU GDPR’ and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.

This guide is intended to be used in conjunction with Checklist: Making an international transfer of personal data under the GDPR. The checklist is designed to help you decide which steps you need to follow and which actions you need to take to ensure that you are making a restricted transfer of personal data in compliance with the EU GDPR.

This guidance reflects the EU’s current position on personal data transfers as at the date of publication and does not include any further updates on future data transfer developments. These and other relevant developments in this fast-moving area of law should be monitored.

Section 1 – What is a (restricted) transfer of personal data?

In this guidance, we refer to the organisation sending data outside the EEA as the ‘data exporter’ or ‘exporter’ and the party outside the EEA receiving the data as the ‘data importer’ or ‘importer’.

The EU GDPR does not provide a legal definition of a ‘restricted transfer’ of personal data to a third country or to an international organisation. A restricted transfer is frequently also referred to as a ‘transfer’, an ‘international data transfer’, or a ‘cross-border transfer of personal data’.

However, the EDPB has provided guidance on the requirements on restricted transfers in their Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. This states that ‘The EDPB has identified the three following cumulative criteria that qualify a processing as a transfer:

  1. A controller or a processor is subject to the GDPR for the given processing.
  2. This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.’

1.1 The EU GDPR applies to the personal data being transferred

The scope of the EU data protection framework is set out in articles 2 (material scope) and 3 (territorial scope) of the EU GDPR. If the data exporter is in the EEA, then the EU GDPR will apply to them and any restricted transfers that they make.

In some cases, the EU GDPR can apply to a controller or processor located outside the EEA (eg, if they are located outside the EEA but ‘target’ data subjects located in the EEA – also known as the ‘targeting criterion’ under article 3(2) of the EU GDPR). The targeting criterion means that the EU GDPR will apply to the processing of personal data of data subjects who are in the EEA by a controller or processor not established in the EEA, where the processing activities relate to:

  • the offering of goods or services to data subjects in the EEA; or
  • the monitoring of their behaviour as far as the behaviour takes place within the EEA.

If a processor or controller not established in the EEA is subject to the EU GDPR under the targeting criterion, the requirements regarding restricted transfers will apply to transfers that they make in the same country or to another third country. For example, if a controller or processor located in Australia processes the personal data of EEA data subjects under the targeting criterion (article 3(2) of the EU GDPR), any transfer of that data either within Australia or to any other third country will be subject to the EU GDPR. The exporter will have to take into account that EU GDPR transfer requirements are the same for exporters located in the EEA and exporters located outside the EEA if the processing falls under article 3(2) of the EU GDPR.

1.2 The exporter is sending personal data or otherwise making it available to a data importer located outside the EEA

A transfer can refer to any type of disclosure of personal data or making the personal data available or accessible in some other way. A restricted transfer therefore takes place when a person who is part of a legally distinct controller or processor and is located outside the EEA accesses in any way the personal data on another (separate) entity’s system or via a website.

For example, personal data can be ‘made available’ by:

  • creating an account on a website or platform;
  • putting personal data on a website;
  • granting access rights to an existing account;
  • confirming or accepting a request to remotely access the personal data;
  • embedding a hard drive; or
  • submitting a password to a file.

Other common situations encountered in practice that are also considered to be restricted transfers from an EU GDPR perspective are:

  • remotely accessing personal data from a third country – for example, by displaying personal data on a screen, such as for the purposes of support services, troubleshooting or administration; or
  • storing personal data in a cloud environment (either owned by the data exporter or provided by a third-party service provider) hosted on servers outside the EEA.

1.3 The exporter and importer are legally distinct entities

The exporter and importer must be separate legal entities. They can be either sole traders, partnerships, companies, public authorities or other types of organisations. Transfers occurring between separate entities within the same corporate group may also be restricted transfers.

However, sending personal data within the same legal entity (eg, sending personal data to an employee of the same entity or between branches or offices that do not have a separate legal personality) will not qualify as a restricted transfer.

1.4 Transfers from processors to controllers

Sending or returning personal data by a processor to their controller (even if located outside the EEA) will not be a restricted transfer, provided that the controller is the controller of that same personal data (ie, the processor has likely collected the transferred personal data on behalf of that controller).

The personal data transfer is always the responsibility of the controller, as it must always have been initiated and agreed by them, most likely in the data processing agreement concluded between the controller and the processor. This transfer cannot be restricted as it would be a transfer within the same legal entity (ie, from the controller back to the same controller).

A processor is responsible for complying with the transfer rules if they have initiated and agreed to the data flow, usually to their sub-processors.

Section 2 – How to transfer personal data lawfully outside the EEA

Chapter V of the EU GDPR sets out the different mechanisms (or ‘appropriate safeguards’) available to data controllers and processors which permit restricted transfers to be carried out lawfully.

To lawfully transfer personal data outside the EEA, the data exporter must:

Chapter V of the EU GDPR sets out a hierarchical approach for the various safeguards. It is designed to ensure that data subjects’ rights are protected when their personal data leaves the EEA. These different mechanisms are explained in more detail below.

2.1 Adequacy regulations

If a country is the subject of adequacy decisions issued by the EU’s European Commission, then the envisaged transfer will not be restricted and can be made freely. In this case, such a transfer will take place in compliance with the Chapter V requirements on international data transfers.

As of the date of this guide, the European Commission has adequacy decisions in relation to:

  • Andorra;
  • Argentina;
  • Canada (this only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA));
  • Faroe Islands;
  • Guernsey;
  • Israel;
  • Isle of Man;
  • Japan;
  • Jersey
  • New Zealand;
  • Republic of (South) Korea;
  • Switzerland;
  • United Kingdom;
  • United States (commercial organisations participating in the EU-US Data Privacy Framework); and
  • Uruguay.

2.2 Appropriate safeguards

If the importing country does not benefit from a European Commission adequacy decision, the data exporter may only transfer personal data to a non-EEA country or international organisation:

  • if an appropriate safeguard under article 46 of the EU GDPR has been put in place by either the controller or processor; and
  • subject to enforceable data subject rights and effective legal remedies being available in the importing country.

The different types of appropriate safeguards available are set out in more detail below.

A staged approach is advised when determining how to legitimise restricted transfers of personal data – if there is no adequacy regulation and an appropriate safeguard is not able to be put in place, then the organisation should consider applying one of the exceptions or derogations under article 49(1) of the EU GDPR, which must be interpreted restrictively (see further section 2.3 below). 

2.2.1 Standard contractual clauses

Standard contractual clauses (SCCs) are standardised and pre-approved model data protection clauses that allow controllers and processors to transfer personal data to a third country. They remain the most widely used article 46 appropriate safeguard and refer to the SCCs issued by the European Commission in June 2021 (replacing the SCCs approved between 2001 and 2010 under Directive (EC) 95/46 – Data Protection Directive (Legacy EU SCCs) (the New EU SCCs).

The use of Legacy EU SCCs was phased out over a period of time – new transfer arrangements relying on SCCs have been required to use the New EU SCCs since 27 September 2021 and transfer agreements relying on SCCs entered into before 27 September 2021 were granted a transition period until 27 December 2022 to switch to the New EU SCCs (ie, replace the Legacy EU SCCs with the New EU SCCs, including the annexes).

2.2.2 Binding corporate rules

In an EU context, binding corporate rules (BCRs) are legally binding internal organisational rules relied on by EU-based organisations (acting as either controller or processor) in order to perform restricted transfers. BCRs for organisations established in the EU can be used by a group of undertakings (ie, a controlling undertaking and its controlled undertakings, more commonly known as a corporate group) or a group of enterprises (ie, a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity) if:

  • both the exporter and the importer have signed up to the same BCRs; and
  • in order to ensure that data subjects’ rights are enforceable, the organisation submits BCRs for approval to the appropriate competent data protection authority in a member state of the EU (which may be several supervisory authorities if the processing is carried out in more than one EU country and a single lead supervisory authority has not been notified). The authority will approve the BCRs in accordance with the consistency mechanism set out in article 63 of the EU GDPR. This procedure may necessarily involve several data protection authorities where a corporate group applying for approval of its BCRs has entities in more than one EU member state. 

The BCRs’ purpose is that an adequate level of protection is afforded when personal data is transferred across jurisdictions between members of a corporate group, or groups of enterprises engaged in joint activity.

The concept of using BCRs to provide adequate safeguards for making restricted transfers was developed under EU law.

Generally speaking, BCRs have the following limitations:

  • they rely on all relevant parties having signed up to the respective BCR and therefore cannot be used to cover international transfers of personal data to companies that are outside the corporate group;
  • they are very detailed in terms of the content they need to cover and must be approved by the relevant supervisory authority or authorities before they can be used. This process can be lengthy (as processing times can take 18 months or longer), time-consuming (to put together the detailed documentation required), and often costly.

Therefore, in practice, BCRs are predominantly used by large, multinational commercial organisations. Organisations therefore need to evaluate carefully whether BCRs are the most appropriate safeguards for their specific transfer scenarios.

Prior to effecting any restricted transfers to high-risk countries (meaning countries that are not considered adequate under EU data protection rules) under BCRs under EU member state law, a transfer risk assessment (TRA), see section 2.2.5 below, will need to be conducted.

The EDPB has issued recommendations regarding the application for approval and on the elements and principles to be found in controller BCRs.

2.2.3 Approved codes of conduct, approved certification mechanisms, and other transfer mechanisms

Approved codes of conduct

Under article 40 of the EU GDPR, relevant data protection regulators and EU bodies encourage drawing up of codes of conduct to contribute to the proper application of the EU GDPR, taking account of the specific features of the various processing sectors and the needs of micro, small and medium-sized enterprises. Trade associations and representative bodies take the lead on developing and monitoring compliance with codes of conduct. A specific approval process is involved, as set out in article 40. 

Codes of conduct are voluntary sets of rules that assist members of that code with data protection compliance and accountability in specific sectors or relating to particular processing operations. Codes of conduct can either be ‘national codes’ (which cover processing activities in a particular jurisdiction) or ‘transnational codes’ (which cover processing activities in more than one member state). The EDPB and supervisory authorities encourage the creation of codes of conduct by actively engaging with sectors to encourage development and uptake of codes where the sector would benefit. To date, a limited number of codes of conduct have been approved.

Adherence to codes of conduct can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default) of the EU GDPR). The EDPB has published guidelines on codes of conduct.

Approved certification mechanisms

Under article 41 of the EU GDPR, relevant data protection regulators and EU bodies encourage the establishment of data protection certification mechanisms and data protection seals and marks to demonstrate compliance with the EU GDPR of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises must be considered.

During 2022, the EDPB adopted an opinion on the approval of the Europrivacy certification criteria submitted by the Luxembourg data protection authority. This was the first such certification approved by the EDPB. Under the certification scheme, Europrivacy enables organisations to assess and certify the compliance of their data processing with the EU GDPR and complementary national data protection laws. Adherence to approved certification mechanisms can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default) of the EU GDPR).

2.2.4 Other transfer mechanisms

Entering into bespoke contractual clauses

A data exporter and data importer can also enter into bespoke contractual clauses for the purposes of making a restricted data transfer, subject to the contract being authorised by the EDPB for that specific transfer. A TRA may also need to be performed prior to concluding the contract but this will depend on the specific transfer, the content of the contract and any conditions imposed as part of the EDPB’s approval.

Administrative arrangements between public bodies

Similar to the above, a restricted data transfer can be made if it falls under the purview of an administrative agreement between public authorities or bodies.

2.2.5 Undertaking transfer risk assessments

Solely relying on an appropriate safeguard may not be sufficient to achieve compliance with the restricted data transfer requirements. After the Court of Justice of the European Union’s decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), organisations should conduct a transfer impact assessment (or TRA) to review whether they provide sufficient protection for data subjects and, if necessary, must take additional measures. Schrems II impacted the restricted data transfer framework in the ways listed below.

  • It invalidated the Privacy Shield mechanism of transferring data to the United States following a review of US surveillance laws (mainly section 702 of the Foreign Intelligence Surveillance Act, and Executive Order 12333). The decision concluded that these laws do not limit or effectively oversee public authorities’ access to EU personal data. It also confirmed that the Privacy Shield does not effectively provide EU individuals with actionable and effective rights before the courts against such public authorities.
  • It upheld the validity of the SCCs as an appropriate safeguard for transferring personal data to third countries.
  • It introduced the requirement that, prior to relying on any article 46 appropriate safeguard (eg, SCCs, BCRs, etc), the data exporter must perform a TRA.

A TRA does not need to be performed when transferring personal data outside the EEA in reliance on an adequacy regulation or an exception (article 49 of the EU GDPR).

A TRA aims to uphold the level of protection provided by the EU GDPR when a data transfer occurs outside the EEA, for the entire duration of that transfer. This is accomplished by identifying risks and mitigating them as and when necessary. If the risks cannot be mitigated, then the data exporter should not proceed with the transfer.

When assessing the level of protection offered to data and data subjects, the TRA should consider:

  • the destination country’s rules, regulations and overall regulatory landscape; and
  • the importer itself and the protections it offers.

The data exporter will always be responsible for performing the TRA; however, it can ask the data importer for assistance if required. For example, the data importer can provide insight into the destination country’s legal landscape or provide details of the measures the importer has implemented to ensure the protection of the personal data it processes. 

The level of protection offered by the importer and the destination country should be ‘sufficiently similar’ to the protections offered under the EU GDPR.

The EDPB’s approach is published in its final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which offers organisations a six-step plan for making sure that the data transfer is in line with the Schrems II decision.

Following completion of the TRA, if it is concluded that the laws of the destination country do impinge on the effectiveness of the relevant article 46 appropriate safeguard, additional measures may be necessary to bring the level of protection up to the EU standard. The most common supplementary measures include contractual measures (eg, imposing requirements on how the importer responds to government access requests) or technical measures such as encryption. In the situation where even with those additional protections in place, there is not ‘essential equivalence’ with the EU GDPR and such measures are insufficient to compensate for any inadequacies of the data importer’s regulatory framework and surveillance practices, the transfer would not be allowed to proceed.

2.3 Exceptions or derogations

If none of the above options are available, the data exporter is left with seeing if one of the specific exceptions or derogations listed in article 49(1) of the EU GDPR can be applied.

The specific circumstances of the transfer will need to be considered in detail to decide which (if any) may apply to your transfer scenario. Note that, as many derogations cannot be used for regular or frequent transfers or they are subject to restrictive conditions, in practice they tend to not be used often.

The derogations or exceptions are listed below.

  • The data subject gives valid explicit consent which must be both specific and informed. For this to apply, the data exporter needs to provide the data subject with precise details about the restricted transfer and its associated risks. The main barriers to relying on consent are the challenges that may arise if that consent is withdrawn and whether the requirements for valid consent can in fact be met in a specific context, such as for transfers of HR data where the imbalance of power between employer and employee may mean that consent is not ‘freely given’.
  • The transfer must be necessary for the performance of a contract between the data subject and the data exporter, or it must be necessary as a pre-contractual step to enter into the contract. This exception can only be used for occasional restricted transfers. The transfer can happen more than once but not regularly.
  • The transfer is necessary for the performance of a contract made in the interests of the data subject between the controller of the data (usually the data exporter) and another natural or legal person. Again, the transfer must be occasional and not regular. This exception cannot be used by public authorities when exercising their public powers.
  • The transfer is necessary for important reasons of public interest. There must be a EU law which states or implies that this transfer is allowed for important reasons of public interest.
  • The transfer is necessary for the establishment of legal claims, to make a legal claim or to defend a legal claim. However, the exception will need to be used for occasional restricted transfers. The claim will need to have a basis in law and a formally legally defined process. The legal claim can be interpreted widely to include:
    • all judicial legal claims, in civil and criminal law; and
    • administrative or regulator procedures, such as to defend an investigation (or potential investigation) in competition law or financial services regulation, or to seek approval for a merger.
  • The transfer is necessary for the vital interests of an individual (where the data subject is incapable of physically or legally of giving consent).
  • The transfer is being made from a register which under EU law is intended to provide information to the public.
  • The transfer is a one-off, and it is for compelling legitimate interests. This exception is for exceptional circumstances (and requires the EDPB to be informed of the transfer). Therefore, it cannot be relied on lightly or regularly. The following conditions must be met in order to rely on this exception:
    • the European Commission’s adequacy decisions do not apply;
    • there are no appropriate safeguards available;
    • none of the other exceptions apply;
    • the transfer is occasional;
    • the personal data in question must only relate to a limited number of individuals;
    • the transfer is necessary for compelling legitimate interests;
    • the compelling legitimate interests outweigh the rights and freedoms of individuals;
    • a full assessment has been carried out and suitable safeguards put in place to protect the personal data;
    • the EDPB has been informed of the transfer; and
    • the data subject has been informed of and had explained the compelling legitimate interest.

The EDPB’s guidelines on article 49 derogations examines each of these derogations in more detail.

Section 3 – Failure to comply with data transfer requirements

If the data exporter is sending personal data to a third party in a country outside the EEA in contravention of the data transfer provisions of the EU GDPR, it can face enforcement action from the relevant supervisory authority or claims from data subjects.

Under article 83(5) of the EU GDPR, a relevant supervisory authority has the right to issue a monetary penalty for failure to comply with the EU GDPR. The maximum amount is €20 million or 4 per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher. This amount is specific to infringements related to any failure to comply with:

  • any of the data protection principles;
  • the requirements to give effect to any rights an individual may have under the EU GDPR; or
  • the requirements in relation to any transfers of data to third countries.

Failure to comply with other more administrative requirements may incur a fine of up to €10 million or 2 per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher.

The EDPB also has powers to order a controller or processor to stop data transfers or other processing activities.

Section 4 – How to approach a data transfer project

Data transfer projects may take many forms but there are some common steps that can help data exporters to streamline these often complex projects. These steps should ideally be taken by any organisation prior to any transfer taking place; however, some documents and practices (eg, having correct and compliant documentation in place, and having a good data governance practice) should be maintained on an ongoing basis.

4.1 Data mapping

As good practice, the EDPB encourages organisations to map all relevant data flows in a timely manner. There is no specific requirement under the EU GDPR to carry out data mapping in a certain way. However, an effective approach to data mapping is to structure it in the ways listed below.

  • Obtain as much information as possible. This might be in the form of a questionnaire which can be sent out to different departments if you are dealing with a larger organisation. There may be automated or technology-led solutions for extracting and analysing this information. Some example questions may include:
    • What personal data do you hold?
    • Why do you hold this personal data?
    • Who do you hold information about?
    • Who do you share this information with (including both third parties and other group companies)?
    • Are you transferring personal data outside the EEA (including to servers located outside the EEA or via remote access from locations outside the EEA)? If so, where?
    • Where are any third parties headquartered?
    • How long are you planning to hold this information for?
    • How is this information kept secure?
  • Identify and meet directly with the stakeholders within the organisation. The data-mapping exercise should target senior subject matter experts as they should be best placed to identify the relevant data flows. This may differ depending on the organisation and should be assessed on a case-by-case basis.   
  • Identify and review policies, procedures, contracts and agreements. Obtain as many of the contracts and/or policies listed below to identify or verify the relevant data flows and capture these appropriately:
    • privacy notices;
    • data retention policies;
    • data protection policies;
    • data security policies;
    • system-use procedures;
    • data processor contracts;
    • data sharing agreements;
    • data transfer agreements/SCCs;
    • TRAs; and
    • for large third-party suppliers, public-facing terms and conditions and other privacy-related documentation.

Carrying out the data-mapping exercise will assist with:

  • identifying where the personal data originates and where it is going;
  • identifying any gaps in the implementation of appropriate safeguards for the data transfers and/or any other legal requirements to ensure the lawfulness of such data transfers, such as TRAs; and
  • gathering the relevant information that is needed to feed into the organisation’s records of processing activities (ROPAs) – see section 4.3 below.

An organisation’s data mapping should ideally be a live document that reflects the organisation’s data flows in real time. However, this may not be practical for a lot of organisations, so a data mapping exercise should be performed regularly, but especially to capture any changes in processing operations that may include new or modified data transfers.

4.2 Have correct, compliant documentation in place

Start with the gaps that you have identified in the data-mapping phase, then group and prioritise these in a logical way according to risk. In order to assess risk, you may look, for example, at the type of data that is being transferred (special category data indicates a higher risk transfer), the volume of the data (a higher volume of data also indicates a higher level of risk), whether the transfer of data is ongoing or periodic (higher risk) or just a one-off transfer (lower risk), the territory to which the data is being transferred (eg, if the data is being transferred to an adequate jurisdiction then the risk is lower) and whether appropriate safeguards have been put in place (if the data is transferred to a non-adequate jurisdiction without proper safeguards in place then the risk is higher).

Based on that, the organisation will need to come up with a remediation plan to ensure that it has in place key documents such as SCCs and TRAs for all restricted transfers. This applies to both transfers to third parties such as suppliers and to intra-group data transfers.

4.3 Follow good data protection governance

It is crucial for organisations to have a robust data privacy and protection programme that includes appropriate measures relating to data transfers. Areas of particularly high risk are mitigated in the ways illustrated below.

  • Data protection governance and resourcing – a well-functioning data protection compliance operation should clearly delineate responsibility to senior staff members for initiating and overseeing private, related initiatives throughout the organisation on a proactive basis. This includes embedding appropriate data protection governance structures at all levels.
  • Access controls – access controls in centralised systems need to be set in a systematic and methodical way to restrict the personal data shared on a need-to-know basis and subject to appropriate geographical limitations. These controls and the rationale for how these are set up should be documented in appropriate policies and protocols.
  • Supplier due diligence – a robust system should be implemented for evaluating suppliers who process personal data on behalf of the organisation for data protection compliance prior to onboarding them. There is no process in place for this to be reviewed on an ongoing basis either.
  • Processor terms – controls need to be implemented within the supplier onboarding process to ensure that mandatory processor contract terms are in place with suppliers that process personal data on behalf of the organisation, and for ensuring that TRAs are in place for all restricted transfers of personal data.
  • ROPAs, data protection impact assessments (DPIAs) and TRAs – DPIAs are a method for organisations to analyse their high-risk processing, identify the areas of risk, and mitigate any exposure. The EDPB stipulates that DPIAs must consider compliance risks, but also more extensive risks to the rights and freedoms of individuals. For more details on DPIAs, see the EDPB’s guidance, Ireland’s supervisory authority’s (the Data Protection Commissioner (DPC)) guidelines on DPIAs, and the How-to guide: How to ensure compliance with the GDPR. ROPAs and DPIAs should include complete details of all international data transfers and should incorporate TRAs. Flags should also be raised when the ROPA needs to be updated and for high-risk restricted transfers requiring DPIAs (or pre-DPIAs). Ireland’s supervisory authority, the DPC, has published guidelines on ROPAs.

Additional resources

European Data Protection Board – Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR 
EDPB guidelines, recommendations and best practices on transfers
EDPS International Transfers

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions 
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to reduce the risk of a GDPR data breach 
How to deal with a GDPR data breach 
How to deal with a supervisory authority dawn raid 

Checklists:

GDPR compliance self-assessment audit 
Assessing whether an organisation is a controller or processor under the GDPR 
Lawful processing of personal data under the GDPR 
Obtaining and managing consent under the GDPR 
Processor due diligence (data protection and cybersecurity) 
Making an international transfer of personal data under the GDPR 
Data subject access rights under the GDPR 
What to include in your organisation’s privacy notice 
When and how to appoint a data protection officer 
Complying with cookie requirements under the ePrivacy Directive and the GDPR 

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics

Organisations

Laws