Transfers of personal data out of the European Economic Area
Transferring personal data out of the EEA requires an appropriate basis for the transfer and compliance with the other requirements imposed by data protection legislation. This page describes the conditions for such transfers when the GDPR is applied to the processing of the personal data.
Note: The content of the website on international data transfers has not yet been updated with relation to the implications of the CJEU ruling in the Schrems II case (C-311/18).
The EU’s General Data Protection Regulation (EUR-Lex) applies in the European Economic Area, which includes Iceland, Liechtenstein and Norway in addition to the Member States. One of the key goals of common data protection legislation is to ensure the free flow of personal data within the EEA. For this reason, the same rules apply to the transfer of personal data to an EEA Member State as to transfers within Finland.
The level of protection guaranteed for personal data by the GDPR decreases when personal data are transferred out of the EU and EEA. Such transfers cause risks to the data subjects, i.e. the people whose data is being transferred. Therefore, the GDPR provides for conditions applied to the bases for transferring personal data out of the EEA to third countries or international organisations.
Conditions for transferring personal data out of the EEA
1. The processing of personal data must be permitted in Finland in the specific situation.
2. Transfers of personal data must also have a basis for transfer as specified in Chapter V of the General Data Protection Regulation (GDPR, EUR-Lex website). The effectiveness of the basis for transfer and the need for supplementary safeguards must be assessed on a case-by-case basis.
Both requirements must be met for the transfer of personal data to be permitted.
The provisions of Chapter V of the GDPR also apply to onward transfers of personal data from third countries or international organisations to other third countries or international organisations. Factors such as the quantity of data transferred or the duration of the transfer have no bearing on the applicability of these provisions. The provisions apply equally to the transfer of individual data items and large masses of personal data. Neither is it relevant for the applicability of Chapter V, GDPR, whether the data are transferred in a single transfer or over a long period of time.
It is sufficient for any one of the transfer principles provided for in Chapter V, GDPR to be met. If none of the bases for transfer are applicable, the personal data may not be transferred out of the EEA.
The transfer of personal data to third countries must also be compliant with the other parts of the GDPR in addition to those set forth in Chapter V. Such transfers are subject to the regulations on the processing of personal data, such as the purpose limitation and accountability (Article 5, GDPR), purpose of processing (Article 6, along with Article 9 with regard to special categories of personal data) and the obligation to secure the personal data (Article 32). The controller must ensure that the recipient of the data has the right to process the personal data being transferred. Furthermore, the controller is required to ensure that the level of protection provided for personal data in the GDPR is not jeopardised by the transfer of the personal data out of the EEA.
When the international transfers of personal data and the applicable basis for transfer have been identified, the controllers and processors of personal data that are transferring the data must check on a case-by-case basis if the legislation of the third country guarantees a level of protection for the personal data to be transferred that is essentially equivalent to that of the EEA. If the basis for transfer is not sufficient to guarantee an essentially equivalent level of data protection, and no appropriate supplementary safeguards can be found to guarantee an adequate level of data protection, the transfer cannot be made.
The data transfer bases vary according to the situation and the priority of application, and each basis is subject to its own, specific criteria. The bases for transfer are applied to both the controller and processor of the personal data.
Personal data can also be transferred to third countries or international organisations in the course of the duties of bodies such as the Finnish Defence Force, police, courts, Customs, Finnish Border Guard and Criminal Sanctions Agency provided for in section 1 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (Act on data protection in criminal matters, 1054/2018, in pdf format, Finlex). Such transfers are subject to the provisions of Chapter 7 of the Act on data protection in criminal matters, which derogate from the GDPR’s articles concerning the transfer of personal data.
Transfer basis priority
The bases for the transfer of personal data are applied in order of priority. When planning the transfer of personal data to third countries, the organisation must first determine whether the data could be transferred by virtue of an adequacy decision made by the Commission. The transfer of personal data to a third country or international organisation can be carried out if the Commission has decided that the third country, territory, sector or organisation ensures an adequate level of data protection. Such an adequacy decision made by the Commission is a primary transfer basis, and a specific authorisation for the transfer is not required if an adequacy decision is in place.
If the data cannot be transferred by virtue of an adequacy decision by the Commission, the organisation must determine whether the transfer could be possible under the appropriate safeguards basis. Appropriate safeguards include standard clauses and binding corporate rules, for example.
If the transfer is not possible by virtue of an adequacy decision by the Commission or appropriate safeguards, the organisation can still investigate whether it could still be enabled by a derogation for a specific situation.
What changes has the GDPR brought?
Before the adoption of the EU's General Data Protection Regulation, the transfer of personal data out of the EU and EEA was regulated by chapter 5 of the Personal Data Act. Back then, transfers were required to be based on one of the transfer bases described in that chapter. Even though the Personal Data Act has been repealed, the transfer of personal data out of the EU or EEA still requires a specific basis.
These transfer bases are now described in Chapter V of the GDPR. The GDPR has increased the number of transfer bases and updated some of the bases that were already in place.
Unchanged bases for transfer
- Standard clauses approved by the Commission (Art. 46(2), point (c))
- Contractual clauses subject to the authorisation of the data protection authority (art. 46(3), point (a))*
Updated bases for transfer
- Commission decision on an adequate level of data protection (Art. 45)
- A Commission decision on an adequate level of data protection is a primary basis for transferring personal data. If there is no adequacy decision in place, the controller is required to use a different basis for transfer.
- Binding corporate rules (Art. 47)
- Derogations for specific situations (Art. 49)
- If a decision on the adequacy of data protection has not been made or the appropriate safeguards referred to in Article 46 implemented, one-time and recurring transfers of personal data to third countries or international organisations can, in certain cases, be made by virtue of the derogations for specific situations provided for in Article 49 of the GDPR.
New bases for transfer
- Standard clauses confirmed by the data protection authority and approved by the Commission (Art. 46(2), point (d))
- An approved certification mechanism (Art. 42 and Art. 46(2), point (f)) together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights
- An approved code of conduct (Art. 40 and Art. 46(2), point (e)) together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights
- A legally binding and enforceable instrument between public authorities or bodies (Art. 46(2), point (a))
- Provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46(3), point (b))*
*The data protection authority’s authorisation for the use of the transfer basis is required for
- contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
Further information on the transfer bases: