Your browser has javascript turned off or blocked. This will lead to some parts of our website to not work properly or at all. Turn on javascript for best performance.

The browser you are using is not supported by this website. All versions of Internet Explorer are no longer supported, either by us or Microsoft (read more here: https://www.microsoft.com/en-us/microsoft-365/windows/end-of-ie-support).

Please use a modern browser to fully experience our website, such as the newest versions of Edge, Chrome, Firefox or Safari etc.

Transfer of personal data outside EU and EEA

The General Data Protection Regulation (GDPR) provides all EU member states with uniform protection of personal data and personal privacy. This also applies to the EEA countries.

The transfer of personal data to countries outside the EU/EEA (“third countries”) may only take place under special conditions. The reason is that the level of protection guaranteed through the GDPR must not be impaired by the transfer to a third country. Transfer of personal data to a third country is when personal data is made available to someone outside the EU/EEA, regardless of where the data is stored.

More information and examples of third country transfers are available on the Swedish Authority for Privacy Protection- Imy.se

Below, the two most frequently applied mechanisms are described, when the University considers transferring personal data to a third country. If neither of these mechanisms are applicable, the data protection officer can be contacted for guidance regarding other mechanisms that can be evaluated.

Mechanism 1: Adequate level of protection

The EU Commission has decided that a number of third countries provide a so-called adequate level of protection. This means that the national laws and regulations of the recipient country are deemed to provide protection for personal data that substantially corresponds to the protection that exists in the EU. If the recipient country provides an adequate level of protection, it is permissible to transfer personal data there in the same way as personal data can be transferred within the EU/EEA.

The Swedish Authority for Privacy Protection ’s website has a list of approved countries – Integritetsskyddsmyndigheten (imy.se)

Mechanism 2: Standard contractual clauses

If there is no decision regarding an adequate level of protection, it may be possible to transfer personal data to a third country if the University can ensure sufficient protection for the data in some other way (appropriate safety measures). One example of appropriate safety measures is standardised data protection provisions adopted by the European Commission; standard contract clauses; This means that the University and recipient enter into an agreement which includes a number of standard contract clauses that the EU Commission has approved and which state the rights and obligations of the parties regarding the personal data.

More information and templates of standard contractual clauses are available on the Swedish Authority for Privacy Protection website – Integritetsskyddsmyndigheten (imy.se)

Before the University decides to apply standard contractual clauses, it must first evaluate

  1. the protection of personal data in the national law of the country/countries to which it is being transferred and,
  2. any need for supplementary protective measures.

Only once this evaluation is complete can the University determine whether standard contract clauses and any supplementary protective measures offer the personal data sufficient protection in the recipient country.

The evaluation that personal data can be legally transferred to a third country is to be documented.

More information is available on the European Data Protection Board’s web site

Specifically concerning transfer for research purposes

On certain conditions pseudonymisation can be a complementary safety measure that may remedy deficiencies in a recipient country’s level of protection. In order for pseudonymisation to constitute a valid complementary safety measure, all five of the requirements below must be fulfilled.

  1. Personal data is processed in a way that means it can no longer be related to a specific data subject (a person) or used to identify a data subject in a group of data subjects, without complementary data being used,
  2. The complementary data is stored solely at the University and separately from the data stated in point 1,
  3. The complementary data is stored within the EU/EEA or in a country with an adequate level of protection,
  4. The complementary data is subject to technical and organisational measures which ensure that the personal data cannot be linked to an identifiable physical person, for example.

         1. prevent revealing and unauthorised access to the complementary data

         2. ensure that the University alone retains control of the algorithm/tool that enables re-identification with the help of the complementary information.

     5. The University has analysed and deemed, in light of information that public authorities in the recipient country may have access to, that it is not possible to relate personal data to an identified or identifiable person even with the use of such additional information.

The evaluation that personal data can be legally transferred to a third country is to be documented.

More information is available on the European Data Protection Board’s web site.

Brexit

In their trade and cooperation agreement in December, the EU and the UK agreed on an extension period of four + two months from yearend 2020, during which personal data controllers and personal data processors may still transfer personal data to UK. Transfer of personal data between the EU and EEA area and the UK can thus continue in its present form until the end June 2021.

Privacy Shield - invalidated

There was previously a certification mechanism known as Privacy Shield, which enabled transfers to be made from the EU to recipients in the US who had signed up to Privacy Shield. On 16 July 2020, Privacy Shield was declared invalid by the EU Court of Justice, meaning that transfers can no longer legally be made with the support of Privacy Shield.

 

For questions about the application

For questions about personal data and data protection, please contact:

Kristin Asgermyr
Data Protection Officer, Legal Counsel
dataskyddsombud [at] lu [dot] se
+46 46 222 04 26