International data transfers

The international transfer model designed by the GDPR establishes that data can only be conveyed outside the European Economic Area when it isguaranteed an adequate level of protection. In these cases, this transfer will not require any prior authorisation.

When there is no adequacy decision, international transfers may be made when the data controller or data processor establishes the appropriate guarantees, respecting the enforceable rights and with effective legal actions, for example through binding corporate rules or the standard contractual clauses adopted by the European Commission.

If the binding corporate rules and standard clauses are adopted by a control authority, they must be subject to the consistency mechanism provided for in the GDPR.

Finally, the GDPR also provides for a series of cases in which, with the lack an adequacy decision or adequate guarantees, a transfer can be carried out if any of the conditions established in Article 49 are met, for example, when the data subject has explicitly given his/her consent to the proposed transfer, the transfer is necessary for the execution of a contract between the data subject and the data controller, or the transfer is necessary for important reasons of public interest.

Access the procedure

International data transfers

Highlights