How can I legally transfer personal data outside the EU?

Partagez cet article

Articles À la Une

A data transfer from the EU is any communication, copy or movement of personal data that is to be processed in a country outside the European Union. Whenever such a data transfer takes place it is necessary to make sure that it is governed by a legal framework. Firstly, you need to check whether the country to which the data is transferred has been granted an adequacy decision by the European Commission, which is the case for EEA countries, for example. If this is the case, the transfer can be carried out without any particular procedure. Otherwise, you will need to take certain steps, such as :

# signature of European Commission (EC) standard contractual clauses
# approved internal company rules (Binding Corporate Rules – BCR) drawn up by the data controller
# an approved code of conduct
# an approved certification scheme
# an administrative arrangement or legally binding text

Where approval is required, it will be given either by the National Authority or by the European Data Protection Committee. Otherwise, the transfer must not be carried out.

It is also important to be vigilant, as in some cases, just one of these measures may not be enough; for example, the Standard Contractual Clauses have been judged to be insufficient for the transfer of data to the USA (https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A62018CJ0311) before the EC’s adequacy ruling on US legislation was issued on July 10, 2023.

The MIIP – MADE IN IP teams are at your disposal to support you in your dealings beyond Europe’s borders.

Aurore BOIBESSOT / Trademark Attorney