Personal data is transferred when personal data is transferred from European territory to one or more countries outside the European Union. The transfer may be made by copying, by moving data, via a network or from one medium to another (e.g. from a computer hard drive to a server).
Three cumulative criteria are necessary to determine whether personal data is being transferred to a third country. This means that if a processing operation meets these three criteria, it will constitute a transfer within the meaning of Chapter 5 of the GDPR.
The three criteria are as follows:
- A controller or processor is subject to the GDPR for the given processing operation.
- That controller or processor ("exporter") discloses by transmission or otherwise makes available to another controller, joint controller or processor ("importer") personal data which is the subject of that processing.
- The importer is located in a third country or is an international organisation, regardless of whether or not that importer is subject to the GDPR in respect of the processing given in accordance with Article 3.
On the other hand, if a processing operation does not meet these three criteria, it will not constitute a transfer within the meaning of Chapter V of the GDPR.
Example 1 - A company wishes to outsource the management of its customer telephone reminders to a company located in a country outside the European Union.
Example 2 - The employee data of a multinational is centralised by the parent company located in the United States. The personal data of French employees is therefore transferred to the United States.
As a matter of principle, data transfers outside the European Union are prohibited.
Articles 44 to 49 of the GDPR provide for exceptions to this prohibition. They provide for the use of tools to control such transfers:
- an adequacy decision by the European Commission concerning certain countries ensuring an adequate level of protection ;
- standard contractual clauses (SCC) issued by the European Commission;
- internal company rules (BCR);
- specific contractual clauses (considered to comply with the European Commission's model clauses);
- standard contractual clauses adopted by a supervisory authority and approved by the European Commission,
- an approved code of conduct (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards),
- an approved certification scheme (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards),
- an administrative arrangement or a legally binding and enforceable text adopted to enable cooperation between public authorities (Memorandum of Understanding or MMOU, international convention, etc.).
Article 49 of the GDPR provides for derogations. If a derogation justifies the transfer, the nature of the derogation must be indicated and, where applicable, the assessment of the circumstances of the transfer and the appropriate safeguards must be detailed.