Introduction 

The European Union’s General Data Protection Regulation, which came into existence in May 2018, lays down provisions for the processing of users’ personal data and the applicability of the legislation extends even outside the borders of the EU. The GDPR further focuses on a concept called “cross-border transfer of personal data” from an EU nation to a non-EU nation based on some regulatory requirements and business organizations are mandated under the GDPR to fulfil such requirements.  

For transfers between the EU nations, the same must be #gdpr compliant and except for that, there are no additional requirements.   

Non-EU Personal Data Transfer  

The GDPR imposes additional requirements for matters pertaining to non-EU personal data transfers. Business organizations that are involved in such transfers (cross-border) are required to verify on the ground that there is an adequacy decision of the EU Commission, otherwise, they will have to verify such transfers by way of entering into agreements.  

1. The sole purpose behind the EU Commission’s adequacy decision is to establish and verify that the non-EU nation has a GDPR equivalent privacy legislation in force that would safeguard such cross-border personal data transfers. The EU Commission’s role is to assess the non-EU nation’s legal standards pertaining to data privacy & protection.  
2. In cases wherein such cross-border transfers are not initiated by an adequacy decision, then such business organization must consider the following options:  

• Adopting standard contractual clauses- The EU Commission may adopt standard contractual clauses that would govern cross-border transfers with a non-EU controller/processor. Furthermore, the Data Protection Authorities in the EU may also adopt such standard clauses, however, the same is subject to approval from the EU Commission. In certain cross-border transfer scenarios, contractual clauses are negotiated and mutually agreed upon by the parties, and the same is subject to approval from the competent Data Protection Authority.  
•  Binding Corporate Rules- The other set option for validating cross-border transfer is on the basis of Binding Corporate Rules. These rules are binding and are approved by the concerned supervisory authorities. This regulates the transfer and processing of personal data between members of a group/enterprises involved in a combined economic activity.   

In addition to the above requirements, the GDPR introduces two other options to validate the cross-border transfer of personal data- i) Approved certification mechanism ii) approved code of conduct.  

Exemptions  

The exemptions pertaining to cross-border transfers under the GDPR are-  

1. Wherein, the data subject has given explicit consent;  
2. Wherein, such cross-border transfers are mandated under a contract;  
3. Wherein, such cross-border transfer is subject to the public interest;  
4. Wherein, such cross-border transfer is initiated for exercising legal rights;  
5. Wherein, such cross-border transfer is in the vital interest of the data subject;  
6. Wherein, such cross-border transfer involves public register data.