Personal data transfers outside the EEA
Separate rules apply for personal data transfers from the Netherlands to countries outside the European Economic Area (EEA). Countries outside the EEA are also called ‘third countries’.
On this page
Third countries are all countries outside the European Union (EU), with the exception of the countries that are part of the EEA. These countries are Norway, Liechtenstein and Iceland. These three countries have the same level of protection of personal data as the EU.
The most important rule is that you are only allowed to transfer personal data to third countries that have an appropriate level of protection. Does a third country not have an appropriate level of protection? In that case, transfer is only allowed on the basis of one of the statutory provisions from Chapter V of the General Data Protection Regulation (GDPR).
Personal data transfers to a third country are possible in three cases. Namely on the basis of:
- an adequacy decision;
- appropriate safeguards, such as a model contract, a code of conduct, certification or binding corporate rules (BCR);
- specific exceptions.
Transfers on the basis of an adequacy decision
Does a third country offer an appropriate level of protection in national law? If so, the European Commission (EC) may make an adequacy decision (Article 45 of the GDPR). The EC then establishes that the data protection in that country is of a level that is comparable to the level of protection offered by the GDPR.
The EC may make such decision with regard to an entire country, but also with regard to a specific sector within a country. An example of this is Canada, where the adequacy decision only applies to commercial businesses.
It concerns these countries:
- Andorra
- Argentina
- Canada (commercial business only)
- Faroe Islands
- Guernsey
- Isle of Man
- Israel
- Japan
- Jersey
- New Zealand
- Uruguay
- United Kingdom
- Unites States (organisations participating in the Data Privacy Framework)
- Switzerland
- South Korea.
You therefore do not have to implement additional safeguards for transfers to these countries or sectors if you want to transfer personal data. You can find more information about this on the website of the European Commission.
Note: Do you want to transfer personal data to the United States (US)? Separate rules apply for personal data transfers to the US.
Transfers subject to appropriate safeguards
Personal data transfers to a third country are also possible by implementing so-called appropriate safeguards. This means that you take additional action to protect the personal data. In that case, you have the following options:
- Use a model contract.
- Draw up a code of conduct or arrange certification.
- Draw up binding corporate rules.
Use a model contract
Is there no adequacy decision by the EC? Then there must be another appropriate safeguard if you want to transfer personal data to a third country. This can be done with a model contract (also called standard contractual clauses or SCCs) adopted by the EC (Article 46, paragraph 2, point c of the GDPR).
Draw up a code of conduct or arrange certification
Other ways to ensure an appropriate level of protection are an approved code of conduct (Article 46, paragraph 2, point e of the GDPR) or by means of a certification mechanism (Article 46, paragraph 2, point f of the GDPR).
Note: do you want to use these tools for transfers? Then the GDPR stipulates as a condition that you have binding and enforceable commitments from the party in the third country and that this party applies the right safeguards.
You can find more information about codes of conduct as tools for transfers in the Guidelines on Codes of Conduct as tools for transfers of the European Data Protection Board (EDPB).
Draw up binding corporate rules
Binding corporate rules (BCR) are internal company regulations of organisations that have their main establishment within the EEA, for personal data transfers outside the EEA within a group of enterprises.
Transfers on the basis of specific exceptions
Is transfer on the basis of the aforementioned options not possible? In exceptional cases, you can rely on the specific exceptions set out in Article 49 of the GDPR. In the Guidelines on derogations of Article 49 under Regulation 2016/679 of the EDPB, you can read which cases these are and how you do this.
Additional safeguards
The publication Recommendations on measures that supplement transfer tools of the EDPB contains recommendations for additional safeguards that you can consider for a proper protection of personal data in the case of international transfers, such as encryption and pseudonymisation. You have to assess on a case-by-case basis which measure or combination of measures is necessary for proper protection of personal data.
Supervision by the Dutch DPA
Does a third country not have an appropriate level of protection? And is there no statutory exception that can be relied on? Then a transfer to that country is unlawful and therefore not permitted.
The Dutch Data Protection Authority (Dutch DPA) monitors personal data transfers to third countries by organisations that have their main establishment in the Netherlands. The Dutch DPA may impose a fine on organisations that unlawfully transfer data to third countries.