Transfers of personal data out of the European Economic Area

Transferring personal data out of the EEA requires an appropriate basis for the transfer and compliance with the other requirements imposed by data protection legislation. This page describes the conditions for such transfers when the GDPR is applied to the processing of the personal data.

The EU’s General Data Protection Regulation applies in the European Economic Area, which includes Iceland, Liechtenstein and Norway in addition to the Member States. One of the key goals of common data protection legislation is to ensure the free flow of personal data within the EEA. For this reason, the same rules apply to the transfer of personal data to an EEA Member State as to transfers within Finland.

When personal data are transferred out of the EU and EEA, the level of protection for personal data may not correspond to the requirements of the GDPR. Such transfers can cause risks to the data subjects, i.e. the people whose data is being transferred. Therefore, the GDPR provides for conditions applied to the bases for transferring personal data out of the EEA to third countries or international organisations.

Conditions for transferring personal data out of the EEA

1. The processing of personal data must be permitted in the specific situation.Henkilötietojen käsittelyn on oltava sallittua kyseisessä tilanteessa.

2. Transfers of personal data must also have a basis for transfer as specified in Chapter V of the General Data Protection Regulation (GDPR). The effectiveness of the basis for transfer and the need for supplementary safeguards must be assessed on a case-by-case basis.

Both requirements must be met for the transfer of personal data to be permitted.

Chapter V of the General Data Protection Regulation (GDPR) on the EUR-Lex website

Bases for the transfer of personal data

The bases for transferring personal data are defined in Chapter V of the General Data Protection Regulation (GDPR). It is sufficient for any one of the transfer principles provided for in Chapter V, GDPR to be met. If none of the bases for transfer are applicable, the personal data may not be transferred out of the EEA. The data transfer bases vary according to the situation and the priority of application, and each basis is subject to its own, specific criteria. The bases for transfer are applied to both the controller and processor of the personal data.

Commission decision on an adequate level of data protection (Art. 45)
Standard clauses approved by the Commission (Art. 46(2), point (c) and Art. 46(2), point (d))
Binding corporate rules (Art. 47)
An approved certification mechanism (Art. 42 and Art. 46(2), point (f)) or an approved code of conduct (Art. 40 and Art. 46(2), point (e)) together with binding and enforceable commitments
A legally binding and enforceable instrument between public authorities or bodies (Art. 46(2), point (a))
Contractual clauses subject to the authorisation of the data protection authority (art. 46(3), point (a))*
Provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46(3), point (b))*
Derogations for specific situations (Art. 49)

*The data protection authority’s authorisation for the use of the transfer basis is required for

contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

The bases for the transfer of personal data are applied in order of priority. A decision by the European Commission on the adequacy of data protection ('adequacy decision') is the primary basis for transfer. If the Commission has decided that the third country, region, sector or international organisation in question ensures an adequate level of protection, personal data can be transferred directly on the basis of the adequacy decision.

If the data cannot be transferred by virtue of an adequacy decision by the Commission, the organisation must determine whether the transfer could be possible under the appropriate safeguards basis. Appropriate safeguards include standard clauses and binding corporate rules, for example.

If the transfer is not possible by virtue of an adequacy decision by the Commission or appropriate safeguards, the organisation can still investigate whether it could still be enabled by a derogation for a specific situation.

A level of data protection corresponding to EU requirements must be ensured when transferring data

The controller must ensure that the level of personal data protection guaranteed by the GDPR is not jeopardised when data is transferred out of the European Economic Area. The controller must also make sure that the recipient of the data has the right to process the personal data being transferred.

When the international transfers of personal data and the applicable basis for transfer have been identified, the controllers and processors of personal data that are transferring the data must check on a case-by-case basis if the legislation of the third country guarantees a level of protection for the personal data to be transferred that is essentially equivalent to that of the EEA.

If the basis for transfer is not sufficient to guarantee a level of data protection corresponding to EU requirements, it can be supplemented with various supplementary safeguards in certain cases. If an adequate level of data protection cannot be guaranteed even with applicable supplementary safeguards, the transfer cannot be made.

Factors such as the volume of data being transferred, the duration of the transfer, or whether the data will be transferred in a single transfer or over a long period of time have no bearing on the applicability of these provisions. The provisions also apply to onward transfers of personal data to a third country or another international organisation.

Transfers of personal data by internal security authorities

Personal data can also be transferred to third countries or international organisations in the course of the duties of bodies such as the Finnish Defence Force, police, courts, Customs, Finnish Border Guard and Criminal Sanctions Agency provided for in section 1 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (Act on data protection in criminal matters, 1054/2018, in pdf format, Finlex). Such transfers are subject to the provisions of Chapter 7 of the Act on data protection in criminal matters, which derogate from the GDPR’s articles concerning the transfer of personal data.

Which transfer basis would be appropriate for the transfer of personal data?

The processing and transfer of personal data must be performed in compliance with data protection legislation. Personal data can be transferred within the EEA subject to the same conditions applied to transfers within Finland. In other words, you will not need a transfer basis referred to in Chapter V of the GDPR.

If you are transferring personal data out of the EEA, you will need a transfer basis provided for in Chapter V of the EU’s General Data Protection Regulation. Keep the order of priority in mind when determining the appropriate transfer basis.

The binding corporate rules provided for in Article 47 of the GDPR can be used as a basis for the transfer of personal data out of the EU or EEA within the group of undertakings or group of enterprises engaged in a joint economic activity. The competent data protection authority will ratify the binding corporate rules in accordance with the consistency mechanism provided for in Article 63 of the GDPR.

The GDPR provides two new transfer bases for public sector entities:

a legally binding and enforceable instrument between public authorities or bodies (Article 46(2), point (a)); and
subject to the authorisation from the data protection authority, provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights (Article 46(3), point (b)).

Standard clauses adopted by the Commission (Article 46(2), point (c) and Article 46(2), point (d))
An approved code of conduct (Article 40) or approved certification mechanism (Article 42), together with binding and enforceable commitments
Subject to the authorisation from the data protection authority, contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation (Article 46(3), point (a))
Derogations for specific situations (Article 49)
- A last-resort basis for data transfer, only applicable in exceptional cases

Further information on the transfer bases:

Recommendations and decision practice on transfers of personal data:

Transfers of personal data out of the European Economic Area

Bases for the transfer of personal data

Transfer basis priority

A level of data protection corresponding to EU requirements must be ensured when transferring data

Transfers of personal data by internal security authorities

Which transfer basis would be appropriate for the transfer of personal data?

Are you transferring personal data out of the EU or EEA, or to an international organisation?

Has the Commission issued a decision on the adequacy of data protection in those third countries or international organisations to which you are transferring personal data?

If you are in the private sector, is your organisation a group of undertakings or group of enterprises engaged in a joint economic activity?

Are you in the public sector?

Check whether another basis for transfer applies to your situation

Common topics