Cross-border transfers of Personal Data under the GDPR- Explained


The European Union’s General Data Protection Regulation, which came into existence in May 2018, lays down provisions for the processing of users’ personal data and the applicability of the legislation extends even outside the borders of the EU. The GDPR further focuses on a concept called “cross-border transfer of personal data” from an EU nation to a non-EU nation based on some regulatory requirements and business organizations are mandated under the GDPR to fulfil such requirements.  

For transfers between the EU nations, the same must be #gdpr compliant and except for that, there are no additional requirements.   

Non-EU Personal Data Transfer  

The GDPR imposes additional requirements for matters pertaining to non-EU personal data transfers. Business organizations that are involved in such transfers (cross-border) are required to verify on the ground that there is an adequacy decision of the EU Commission, otherwise, they will have to verify such transfers by way of entering into agreements.  

  1. The sole purpose behind the EU Commission’s adequacy decision is to establish and verify that the non-EU nation has a GDPR equivalent privacy legislation in force that would safeguard such cross-border personal data transfers. The EU Commission’s role is to assess the non-EU nation’s legal standards pertaining to data privacy & protection.  
  2. In cases wherein such cross-border transfers are not initiated by an adequacy decision, then such business organization must consider the following options:  
  • Adopting standard contractual clauses- The EU Commission may adopt standard contractual clauses that would govern cross-border transfers with a non-EU controller/processor. Furthermore, the Data Protection Authorities in the EU may also adopt such standard clauses, however, the same is subject to approval from the EU Commission. In certain cross-border transfer scenarios, contractual clauses are negotiated and mutually agreed upon by the parties, and the same is subject to approval from the competent Data Protection Authority.  
  •  Binding Corporate Rules- The other set option for validating cross-border transfer is on the basis of Binding Corporate Rules. These rules are binding and are approved by the concerned supervisory authorities. This regulates the transfer and processing of personal data between members of a group/enterprises involved in a combined economic activity.   

In addition to the above requirements, the GDPR introduces two other options to validate the cross-border transfer of personal data- i) Approved certification mechanism ii) approved code of conduct.  


The exemptions pertaining to cross-border transfers under the GDPR are-  

  1. Wherein, the data subject has given explicit consent;  
  2. Wherein, such cross-border transfers are mandated under a contract;  
  3. Wherein, such cross-border transfer is subject to the public interest;  
  4. Wherein, such cross-border transfer is initiated for exercising legal rights;  
  5. Wherein, such cross-border transfer is in the vital interest of the data subject;  
  6. Wherein, such cross-border transfer involves public register data. 

Major Privacy Updates of the Week

Meta Introduces New Privacy Features to Protect Teenagers

For teenagers, a new update has been released by Meta so they can safeguard teens privacy. Now, when a person under the age of 16 or 18 joins Facebook, their settings are immediately changed to be more private. Meta is collaborating with the National Center for Missing and Exploited Children (NCMEC) in building a global platform for teenagers, that will stop kids’ private photos from being posted online without their permission. 

Read More.

Apple Faces New Lawsuit over Users Data Collection Practices

Following a recent study by an independent researcher that discovered Apple was tracking users in its mobile apps even when they explicitly set their iPhone #privacy settings to turn tracking off, a new lawsuit has been filed challenging the company’s data collecting tactics. The plaintiff in a class action case, is suing alleging that Apple’s privacy guarantees are illegal under the California Invasion of Privacy Act. 

Read More.

Qatar World Cup Apps Raise Privacy Concerns

European data authorities are raising privacy concerns about apps’ the Qatari government is urging millions of soccer fans to download, when they arrive in Doha for the 2022 FIFA World Cup Qatar 2022. Booking and lodging application ‘Hayya’ and New coronavirus contact tracing app ‘Ehteraz’ gave access to Qatari authorities to surveillance. The European authority said that these applications will probably gather a lot more information than what app’s privacy notices indicate. 

Read More.

AIIMS Delhi Hit by Ransomware Attack on Server

The nation’s top public medical research institute and hospital, AIIMS (All India Institute of Medical Sciences, New Delhi), is currently dealing with a serious #cybercrime problem that is impeding normal business operations. As a result of a ransomware attack on the institution’s computer, AIIMS Delhi is currently experiencing widespread failure of its centralized digital system. As a result, the institution’s E Hospital services have been impacted. The problem has persisted at the hospital for two days despite efforts by several government entities to find a solution. 

Read More.

Pro-Russian Hackers Take Down EU Parliament Site

In a DDoS attack, pro-Kremlin KillNet hackers took down the European Parliament’s website. The pro-Russian hacker organization Killnet launched a distributed denial of service (DDoS) attack against the website, forcing it to fall offline for around two hours. This attack strategy has been frequently used by the group in its ongoing attempts to target pro-Ukrainian authorities. The attack was launched just after the parliamentarians agreed to name Russia as a state supporter of terrorism, in response to Russia’s invasion of Ukraine. 

Read More.

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro