We are happy to explain which requirements have to be complied with in the context of trans-border data flows and which legal obstacles may have to be faced here. It goes without saying that this topic is of great importance in an era where major social media providers or governmental organizations illegally access your personal data. Another very important factor is the increased use of cloud computing service providers which might store their clients’ personal data in data centres anywhere in the world, while this is not obvious for you at first sight.
This topic is not just about finding out which law of which country is the governing law or which supervisory authority is the competent supervisory authority, but rather, specifically, how he legitimacy of the transfer of personal data in what is called a third country can be achieved. A third country is in principle any country outside of the EU or the European Economic Area for which the EU Commission was unable to discern an appropriate level of data protection. Therefore, it is not only the forwarding of personal data to an external service provider (e.g. by means of a contract for commissioned data processing) that has to be legitimized, but beyond this, there is what is called a “second” step, which requires suitable safeguards in order to legitimize the transfer to such service provider, if the service provider resides in a third country or accesses the personal data from a third country.
Such suitable safeguards may be, for example, a certification pursuant to the EU-US Privacy Shield, or the conclusion of what is called standard data protection clauses, or binding internal data protection provisions. In the event that none of the safeguards that are provided for by law are applicable, there are additional exceptions laid down by statutory law, and in such cases, the consent of the data subject – for example – or a contract between the data subject and the controller may be used as a legal basis.
We will assess on your behalf how you can design your third-country transfers in a way that ensures compliance with the law in order to be able to operate internationally.