Transfer of personal data to a third country

The General Data Protection Regulation (GDPR) provides all EU member states with equal protection of personal data and privacy. This also applies to the EEA countries. Personal data may therefore be transferred freely within this area without any restrictions.

The transfer of personal data to countries outside the EU/EEA (“third countries”) may only take place under special conditions. The reason is that the level of protection guaranteed through the GDPR must not be impaired by the transfer to a third country. The general rule is that transfers to third countries may only occur if supported by any of the following mechanisms.

  1. The jurisdiction in which the recipient of the personal data is located is considered to provide an adequate level of protection of personal data. The EU Commission has decided that a number of third countries provide a so-called adequate level of protection. This means that the national laws and regulations of the recipient country are deemed to provide protection for personal data that substantially corresponds to the protection that exists in the EU. If the recipient country provides an adequate level of protection, it is permissible to transfer personal data there in the same way as personal data can be transferred within the EU/EEA.The Swedish Authority for Privacy Protection ’s website has a list of approved countries – you can read more about this by clicking on this link (opens in the same window).

  2. If there is no decision regarding an adequate level of protection, it may be possible to transfer personal data to a third country if the University can ensure sufficient protection for the data in some other way (appropriate safety measures). Examples of appropriate safety measures are: a) standardised data protection provisions adopted by the European Commission; standard contract clauses; b) a legally binding and enforceable instrument between public authorities and bodies, e.g. Memorandum of Understanding; c) binding corporate regulations approved by the supervisory authority, as well as d) approved code of conduct/certification. The mechanism regarding standard contract clauses (2.a)) means that the University and recipient enter into an agreement which includes a number of standard contract clauses that the EU Commission has approved and which state the rights and obligations of the parties regarding the personal data. These standard contract clauses may not be used routinely. First, there needs to be an evaluation of the legal protection of personal data in the national laws and regulations of the country/countries to which it is being transferred and of the need for supplementary protective measures. More information about this can be found further down the page under the heading Current issues.                  
  3. An exception is applicable (exceptions associated with conditions for specific situations and individual cases). This mechanism is not addressed here as it should rarely be applicable to the University.

More information and examples of third country transfers are available on the Swedish Authority for Privacy Protection website – click here (opens in the same window).

Privacy Shield

There was previously a certification mechanism known as Privacy Shield, which enabled transfers to be made from the EU to recipients in the US who had signed up to Privacy Shield. On 16 July 2020, Privacy Shield was declared invalid by the EU Court of Justice, meaning that transfers can no longer legally be made with the support of Privacy Shield.

Brexit

There is extra time allowed for the transfer of personal data to the UK after the end of the Brexit transition period.

In their trade and cooperation agreement, the EU and the UK agreed on an extension period of four months, during which personal data controllers and personal data processors may still transfer personal data to UK. The extension period may be extended by two months, unless either party opposes the extension. Transfer of personal data between the EU and EEA area and the UK can thus continue in its present form until the end of the extension period.

The EU Commission states that it is working towards making a decision on an adequate level of protection for personal data in the UK. Due to the extension period for the transfer of personal data, continuity is ensured for the transfer of data after the EU–UK trade and cooperation agreement has entered into force, as the drafting of a decision on an adequate level of protection is still in progress.

If the EU Commission deems that the level of data protection in the UK is adequate, the commission’s decision on an adequate level of protection will become the primary basis for the transfer of personal data in the future. The extension period will end before the set period of six months if the commission’s decision on an adequate level of protection is approved before that.

One precondition for the extension period is that the data protection legislation applied in the UK at the end of the Brexit transition period remains unchanged during the extension period.  

The extension period for transfer of personal data starts when the trade and cooperation agreement enters into force.

Current issues

Use of standard contract clauses (Dec 2020)

It follows from a ruling of the EU Court of Justice on 16 July (Schrems II) and subsequent recommendations in November from the European Data Protection Board (EDPB) that standard contract clauses may not be used routinely. As a personal data controller, the University must first evaluate 

1) the protection of personal data in the national law of the country/countries to which it is being transferred and,

2) any need for supplementary protective measures.

Only once this evaluation is complete can the University determine whether standard contract clauses and any supplementary protective measures offer the personal data sufficient protection in the recipient country. 

The data protection officer recommends against entering new contracts allowing transfers to a third country without a preceding evaluation as described above that has also been documented.

The European Data Protection Board’s recommendations have been put out for consultation and are expected to be finally adopted in the spring of 2021. Read more on the European Data Protection Board the web site - click here (opens in the same window).

Specifically concerning transfer for research purposes (January 2021)

According to the European Data Protection Board’s recommendations, on certain conditions pseudonymisation can be a complementary safety measure that may remedy deficiencies in a recipient country’s level of protection. In order for pseudonymisation to constitute a valid complementary safety measure, all five of the requirements below must be fulfilled.

  1. Personal data is processed in a way that means it can no longer be related to a specific data subject or used to identify a data subject in a group of data subjects, without complementary data being used,
  2. The complementary data is stored solely at the University and separately from the data stated in point 1,
  3. The complementary data is stored within the EU/EEA or in a country with an adequate level of protection,
  4. The complementary data is subject to technical and organisational measures which ensure that the personal data cannot be linked to an identifiable physical person, for example.
    1. prevent revealing and unauthorised access to the complementary data
    2. ensure that the University alone retains control of the algorithm/tool that enables re-identification with the help of the complementary information
  1. The University has analysed and deemed, in light of information that public authorities in the recipient country may have access to, that it is not possible to relate personal data to an identified or identifiable person even with the use of such additional information.

The evaluation that personal data can be legally transferred to a third country is to be documented.

Overview of transfers to third countries (Aug 2020)

In light of the ruling of the EU Court of Justice on 16 July 2020 and the risk that there is no decision on an adequate level of protection for the UK by 31 December 2020, the data protection officer recommended in August that a review be conducted of the transfers made to third countries, with priority for transfers to the US and UK. The officer also recommended against entering any new agreements allowing transfers to the US pending more guidance surrounding the legal situation.

The follow guidance was provided about how this overview can be produced.

How to identify transfers to the USA and the UK

1. Which transfers are to be identified?

The transfers that need to be identified are transfers of personal data which the University carries out as a personal data controller and in which the personal data becomes accessible/available to someone in the USA or the UK. Below are some examples.

  • LU uses a personal data processor that is established in these countriesThe same applies if LU uses a licensed service and the licenser is established in these countries.
  • LU uses a personal data processor that is established in the EU (with servers or cloud service based in the EU) but the data processing agreement allows certain personal data processing to be carried out in these countries, for example by a subsidiary, by a subcontractor or in a cloud service based in these countries. Correspondingly, the same applies if LU uses a licensed service.
  • Documents containing personal data emailed to one of these countries.
  • Researchers transfer data containing personal data to a university in these countries with which LU collaborates.
  • Education collaborations such as student exchanges with higher education institutions in these countries.

If you are unsure – include the transfer.

2. Who identifies the transfer?

  • Each system owner is responsible to identify any transfer of personal data to these countries for their system (the plan of operations for the administration states who is the system owner).

  • The faculties need to focus on research collaborations with parties in these countries and on IT-solutions and  the services that are owned and financed at the faculty.

3. What information needs to be included about each identified personal data transfer to the USA and the UK?

  • Follow the specified template, which has instructions regarding the information to be included.
    Download the template by clicking here (Excel, 23 kB, opens in new window)
  • As stated in the template, it is important to find out the position of the opposite party. Under the Instructions tab in the template there is a link to letter templates that can be used for this purpose.

For questions about the application

For questions about personal data and data protection, please contact:

Kristin Asgermyr
Data Protection Officer, Legal Counsel
dataskyddsombud [at] lu [dot] se
+46 46 222 04 26