Data Transfer and GDPR Adequacy Resources
General Data Protection Regulation is a vast subject. It covers many aspects of how data is transmitted, processed and stored.
The notion of country adequacy is just one aspect of the matter. And while it is the easiest to check, it is often trivialized and not considered in the data processing risk assessment.
You will find more resources about the adequacy and other privacy and compliance-centric issues here.Reference: GDPR Text
- Start with the basics. What is Data Transfer?
- Article 45, Transfer on the basis of an adequacy decision.
- Transferring data on the basis of Standard Contractual Clauses
Start with the basics. What is Data Transfer?
We recommend you check a bitesized video by Privacy Kitchen.Transfer for GDPR? 5 Key Facts
Article 45, Transfer on the basis of an adequacy decision.
The critical point of this article is that transferring personal data to an adequate country does not require specific consent or authorization.
Inversely, if your data processor, a SaaS vendor, uses a system or transfers data to an inadequate country, you must take extra care in communication with such a partner. Imagine sending the Personal Data of your end user as part of an email or support exchange. You need explicit consent if your vendor uses a service in an inappropriate jurisdiction.Reference: Text of Article 45
Transferring data on the basis of Standard Contractual Clauses
The famous Schrems II ruling did not invalidate the premise of SCCs. However, it puts additional requirements on those who rely on SCCs in case of data transfer.
Data Importer and Data Exporter must ensure that SCCs can be enforced and withstand surveillance laws in countries where data is exported. It is fair to assume that transfers to countries like the USA, Russia, China, etc., can never rely on SCCs.Reference: Using SCCs post-'Schrems II': Guidance from DPAs