Transfers of personal data out of the European Economic Area

Transferring personal data out of the EEA requires an appropriate basis for the transfer and compliance with the other requirements imposed by data protection legislation. This page describes the conditions for such transfers when the GDPR is applied to the processing of the personal data.

The EU’s General Data Protection Regulation applies in the European Economic Area, which includes Iceland, Liechtenstein and Norway in addition to the Member States. One of the key goals of common data protection legislation is to ensure the free flow of personal data within the EEA. For this reason, the same rules apply to the transfer of personal data to an EEA Member State as to transfers within Finland.

When personal data are transferred out of the EU and EEA, the level of protection for personal data may not correspond to the requirements of the GDPR. Such transfers can cause risks to the data subjects, i.e. the people whose data is being transferred. Therefore, the GDPR provides for conditions applied to the bases for transferring personal data out of the EEA to third countries or international organisations.

​​​​​​​Read more about processing of personal data

Conditions for transferring personal data out of the EEA

1. The processing of personal data must be permitted in the specific situation.Henkilötietojen käsittelyn on oltava sallittua kyseisessä tilanteessa.

2. Transfers of personal data must also have a basis for transfer as specified in Chapter V of the General Data Protection Regulation (GDPR). The effectiveness of the basis for transfer and the need for supplementary safeguards must be assessed on a case-by-case basis.

Both requirements must be met for the transfer of personal data to be permitted.

Chapter V of the General Data Protection Regulation (GDPR) on the EUR-Lex website

Bases for the transfer of personal data

The bases for transferring personal data are defined in Chapter V of the General Data Protection Regulation (GDPR). It is sufficient for any one of the transfer principles provided for in Chapter V, GDPR to be met. If none of the bases for transfer are applicable, the personal data may not be transferred out of the EEA. The data transfer bases vary according to the situation and the priority of application, and each basis is subject to its own, specific criteria. The bases for transfer are applied to both the controller and processor of the personal data.

*The data protection authority’s authorisation for the use of the transfer basis is required for

  • contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.



A level of data protection corresponding to EU requirements must be ensured when transferring data

The controller must ensure that the level of personal data protection guaranteed by the GDPR is not jeopardised when data is transferred out of the European Economic Area. The controller must also make sure that the recipient of the data has the right to process the personal data being transferred.​​​​​​​

When the international transfers of personal data and the applicable basis for transfer have been identified, the controllers and processors of personal data that are transferring the data must check on a case-by-case basis if the legislation of the third country guarantees a level of protection for the personal data to be transferred that is essentially equivalent to that of the EEA.

If the basis for transfer is not sufficient to guarantee a level of data protection corresponding to EU requirements, it can be supplemented with various supplementary safeguards in certain cases. If an adequate level of data protection cannot be guaranteed even with applicable supplementary safeguards, the transfer cannot be made.

Factors such as the volume of data being transferred, the duration of the transfer, or whether the data will be transferred in a single transfer or over a long period of time have no bearing on the applicability of these provisions. The provisions also apply to onward transfers of personal data to a third country or another international organisation.

Transfers of personal data by internal security authorities

Personal data can also be transferred to third countries or international organisations in the course of the duties of bodies such as the Finnish Defence Force, police, courts, Customs, Finnish Border Guard and Criminal Sanctions Agency provided for in section 1 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (Act on data protection in criminal matters, 1054/2018, in pdf format, Finlex). Such transfers are subject to the provisions of Chapter 7 of the Act on data protection in criminal matters, which derogate from the GDPR’s articles concerning the transfer of personal data.

Which transfer basis would be appropriate for the transfer of personal data?