Transfers of personal data out of the European Economic Area
Transferring personal data out of the EEA requires an appropriate basis for the transfer and compliance with the other requirements imposed by data protection legislation. This page describes the conditions for such transfers when the GDPR is applied to the processing of the personal data.
The EU’s General Data Protection Regulation applies in the European Economic Area, which includes Iceland, Liechtenstein and Norway in addition to the Member States. One of the key goals of common data protection legislation is to ensure the free flow of personal data within the EEA. For this reason, the same rules apply to the transfer of personal data to an EEA Member State as to transfers within Finland.
When personal data are transferred out of the EU and EEA, the level of protection for personal data may not correspond to the requirements of the GDPR. Such transfers can cause risks to the data subjects, i.e. the people whose data is being transferred. Therefore, the GDPR provides for conditions applied to the bases for transferring personal data out of the EEA to third countries or international organisations.
Conditions for transferring personal data out of the EEA
1. The processing of personal data must be permitted in the specific situation.
2. Transfers of personal data must also have a basis for transfer as specified in Chapter V of the General Data Protection Regulation (GDPR). The effectiveness of the basis for transfer and the need for supplementary safeguards must be assessed on a case-by-case basis.
Both requirements must be met for the transfer of personal data to be permitted.
Bases for the transfer of personal data
The bases for transferring personal data are defined in Chapter V of the General Data Protection Regulation (GDPR). It is sufficient for any one of the transfer principles provided for in Chapter V, GDPR to be met. If none of the bases for transfer are applicable, the personal data may not be transferred out of the EEA. The data transfer bases vary according to the situation and the priority of application, and each basis is subject to its own, specific criteria. The bases for transfer are applied to both the controller and processor of the personal data.
- Commission decision on an adequate level of data protection (Art. 45)
- Standard clauses approved by the Commission (Art. 46(2), point (c) and Art. 46(2), point (d))
- Binding corporate rules (Art. 47)
- An approved certification mechanism (Art. 42 and Art. 46(2), point (f)) or an approved code of conduct (Art. 40 and Art. 46(2), point (e)) together with binding and enforceable commitments
- A legally binding and enforceable instrument between public authorities or bodies (Art. 46(2), point (a))
- Contractual clauses subject to the authorisation of the data protection authority (art. 46(3), point (a))*
- Provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46(3), point (b))*
- Derogations for specific situations (Art. 49)
*The data protection authority’s authorisation for the use of the transfer basis is required for
- contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
Transfer basis priority
The bases for the transfer of personal data are applied in order of priority. A decision by the European Commission on the adequacy of data protection ('adequacy decision') is the primary basis for transfer. If the Commission has decided that the third country, region, sector or international organisation in question ensures an adequate level of protection, personal data can be transferred directly on the basis of the adequacy decision.
If the data cannot be transferred by virtue of an adequacy decision by the Commission, the organisation must determine whether the transfer could be possible under the appropriate safeguards basis. Appropriate safeguards include standard clauses and binding corporate rules, for example.
If the transfer is not possible by virtue of an adequacy decision by the Commission or appropriate safeguards, the organisation can still investigate whether it could still be enabled by a derogation for a specific situation.
A level of data protection corresponding to EU requirements must be ensured when transferring data
The controller must ensure that the level of personal data protection guaranteed by the GDPR is not jeopardised when data is transferred out of the European Economic Area. The controller must also make sure that the recipient of the data has the right to process the personal data being transferred.
When the international transfers of personal data and the applicable basis for transfer have been identified, the controllers and processors of personal data that are transferring the data must check on a case-by-case basis if the legislation of the third country guarantees a level of protection for the personal data to be transferred that is essentially equivalent to that of the EEA.
If the basis for transfer is not sufficient to guarantee a level of data protection corresponding to EU requirements, it can be supplemented with various supplementary safeguards in certain cases. If an adequate level of data protection cannot be guaranteed even with applicable supplementary safeguards, the transfer cannot be made.
Factors such as the volume of data being transferred, the duration of the transfer, or whether the data will be transferred in a single transfer or over a long period of time have no bearing on the applicability of these provisions. The provisions also apply to onward transfers of personal data to a third country or another international organisation.
Transfers of personal data by internal security authorities
Personal data can also be transferred to third countries or international organisations in the course of the duties of bodies such as the Finnish Defence Force, police, courts, Customs, Finnish Border Guard and Criminal Sanctions Agency provided for in section 1 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (Act on data protection in criminal matters, 1054/2018, in pdf format, Finlex). Such transfers are subject to the provisions of Chapter 7 of the Act on data protection in criminal matters, which derogate from the GDPR’s articles concerning the transfer of personal data.
Further information on the transfer bases:
- Transfers on the basis of an adequacy decision
- Standard clauses adopted by the Commission
- Safeguards to supplement transfer tools
- Binding Corporate Rules (BCR)
- Derogations for specific situations
- Brexit and the transfer of personal data to the UK
Recommendations and decision practice on transfers of personal data:
- Coordinated Enforcement Action report of the European Data Protection Board on the use of cloud-based services by the public sector (in English on the EDPB website)
- Press release, 17 January 2023: Deputy Data Protection Ombudsman issues reprimand for conveying library search information to US-based Google
- Press release, 11 February 2022: European data protection authorities have found the use of Google Analytics on websites to be in violation of data protection legislation (in Finnish)