The General Data Protection Regulation is an EU Regulation. This means that this Regulation will have a direct effect on all Member States of the EU as soon as the Regulation will finally enter into force on 25 May 2018. A similar regime with regard to the protection of personal data applies in the Member States. Each Member State, however, has the possibility to lay down its own rules in local legislation to elaborate the GDPR. However, this possibility is limited and is meant in particular to allow the GDPR to coincide in the best possible way with certain ‘country-specific’ rules. For example, legal deadlines for storing personal data differ per individual Member State, making differentiation per Member a necessity.
Due to the same privacy regulations in the EU Member States, the protection of personal data is also adequately secured if these data are sent from one Member State to another. This is different if personal data are made available to parties in countries outside the European Union. For example, this may refer to the payroll administration that is being carried out centrally in India for a globally operating company; or a Canadian web shop who stores customer data from the Netherlands on a server in Canada. In such situations, those ‘third’ countries must be able to guarantee an appropriate/adequate level of protection. In addition to the EU Member States, Norway, Iceland and Liechtenstein (countries from the European Economic Area, EEA) are also committed to the full application of the GDPR. They can therefore be equated with EU Member States in terms of adequate level of protection.
Whether a third country or international organization (i.e. outside the EEA) can guarantee such an adequate level of protection will be determined by the European Commission. The Commission pays attention to aspects such as constitutionality, respect for human rights and applicable general and sectoral legislation in those countries. It is also relevant for this assessment whether an independent supervisory authority is active in a third country. Meanwhile, the European Commission has drawn up a list of countries with an adequate level of protection. This list can be consulted via this link.
A special regime applies to transfer of data to the US, notably if it complies with the criteria of the Privacy Shield Framework established by the Commission. Based on this framework, organizations in the US who have joined this Framework must adhere to the strict rules to secure protection of personal data from the EU.
Without a Commission decision on an adequate level of protection, there are some other options to exchange data with third countries or international organizations. For instance, this is also possible if there are appropriate safeguards and if the data subject has enforceable rights and effective legal remedies at his disposal. The GDPR provides a summary of the conditions on which this is possible.
Another option for transfer is provided by the so-called Binding Corporate Rules. In a nutshell, this means that companies (whether or not within a group) lay down rules which are legally binding and apply to the entire company or group, and which grant enforceable rights to data subjects (individuals whose personal data are processed) with regard to the processing of the personal data. The competent authority for personal data in a Member State may approve these rules at the request of the organization. Binding corporate rules are interesting for companies and organizations who are active in many different (EU and non-EU) countries, so that exchange of personal data proceed more easily.
Finally, in specific situations, even without the aforementioned safeguards, it is possible to transfer personal data to third countries. The GDPR specifies various conditions for the application of this category of remaining countries, including the explicit consent of the data subject for the transfer, or the need of the transfer for the execution of an agreement in the interest of the data subject.
International transfer of personal data inside and outside the EU occurs on a daily basis. If you are dealing with this, please bear in mind that transfer to countries outside the EEA is only permitted if specific safeguards are in place.