Transfer of personal data outside EU and EEA
The General Data Protection Regulation (GDPR) provides all EU member states with uniform protection of personal data and personal privacy. This also applies to the EEA countries.
The transfer of personal data to countries outside the EU/EEA (“third countries”) may only take place under special conditions. The reason is that the level of protection guaranteed through the GDPR must not be impaired by the transfer to a third country. Transfer of personal data to a third country is when personal data is made available to someone outside the EU/EEA, regardless of where the data is stored.
Below, the two most frequently applied mechanisms are described, when the University considers transferring personal data to a third country. If neither of these mechanisms are applicable, the data protection officer can be contacted for guidance regarding other mechanisms that can be evaluated.
Mechanism 1: Adequate level of protection
The EU Commission has decided that a number of third countries provide a so-called adequate level of protection. This means that the national laws and regulations of the recipient country are deemed to provide protection for personal data that substantially corresponds to the protection that exists in the EU. If the recipient country provides an adequate level of protection, it is permissible to transfer personal data there in the same way as personal data can be transferred within the EU/EEA.
The Swedish Authority for Privacy Protection ’s website has a list of approved countries – Integritetsskyddsmyndigheten (imy.se) (The webpage opens in a new window.)
Mechanism 2: Standard contractual clauses
If there is no decision regarding an adequate level of protection, it may be possible to transfer personal data to a third country if the University can ensure sufficient protection for the data in some other way (appropriate safety measures). One example of appropriate safety measures is standardised data protection provisions adopted by the European Commission; standard contract clauses; This means that the University and recipient enter into an agreement which includes a number of standard contract clauses that the EU Commission has approved and which state the rights and obligations of the parties regarding the personal data.
Before the University decides to apply standard contractual clauses, it must first evaluate
- the protection of personal data in the national law of the country/countries to which it is being transferred and,
- any need for supplementary protective measures.
Only once this evaluation is complete can the University determine whether standard contract clauses and any supplementary protective measures offer the personal data sufficient protection in the recipient country.
The evaluation that personal data can be legally transferred to a third country is to be documented.
More information is available on the European Data Protection Board’s web site.
Specifically concerning transfer for research purposes
On certain conditions pseudonymisation can be a complementary safety measure that may remedy deficiencies in a recipient country’s level of protection. In order for pseudonymisation to constitute a valid complementary safety measure, all five of the requirements below must be fulfilled.
- Personal data is processed in a way that means it can no longer be related to a specific data subject (a person) or used to identify a data subject in a group of data subjects, without complementary data being used,
- The complementary data is stored solely at the University and separately from the data stated in point 1,
- The complementary data is stored within the EU/EEA or in a country with an adequate level of protection,
- The complementary data is subject to technical and organisational measures which ensure that the personal data cannot be linked to an identifiable physical person, for example.
1. prevent revealing and unauthorised access to the complementary data
2. ensure that the University alone retains control of the algorithm/tool that enables re-identification with the help of the complementary information.
5. The University has analysed and deemed, in light of information that public authorities in the recipient country may have access to, that it is not possible to relate personal data to an identified or identifiable person even with the use of such additional information.
The evaluation that personal data can be legally transferred to a third country is to be documented.
More information is available on the European Data Protection Board’s web site. (The webpage opens in a new window.)
The European Commission has adopted a new adequacy decision for EU-US data flows
According to the decision, the United States ensures an adequate level of protection that is comparable to that of the EU for personal data transferred from the EU to US companies under the EU-US Data Privacy Framework.
Through the EU-US Data Privacy Framework, new binding security measures are introduced to address all the issues raised by the EU Court of Justice. This includes limiting the access of US intelligence agencies to data from the EU to what is necessary and proportionate, as well as establishing a data protection court to which EU citizens can turn.
US companies will be able to join the EU-US Data Privacy Framework by committing to follow a detailed set of privacy obligations.
Please note that the decision only applies to companies that have certified themselves according to the framework. Feel free to contact us regarding data protection at dataskyddsombud [at] lu [dot] se if you have any questions.
Read more about the decision here: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.
For questions about the application
For questions about personal data and data protection, please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)