6 January 2020

Transferring Personal Data to Third Countries or Organisations under the GDPR in the Netherlands

Category: Privacy law

Since the introduction of the General Data Protection Regulation (‘GDPR’) in 2018, consumers in the Netherlands have been given more power over their personal information. However, one of the looming questions is under what circumstances can personal data be transferred to a third country not in the EU or to an international organisation?

Transfer of personal data

In order for an organisation to make a transfer of personal data to a third country or to an international organisation, they must abide by the relevant provisions of the GDPR. The protection given by the GDPR is about whether there is adequate protection of the personal data once it leaves the scope of the European Commission (‘the Commission’). Thus in order for an organisation to make a transfer of personal data, they must ask themselves whether or not the third country or international organisation have systems in place to provide the data with an adequate level of protection.

An Adequate Third Country or International Organisation for the Purposes of the GDPR

If the Commission deems that there is an adequate level of data protection with the third country or international organisation, then the data transfer will not require any specific authorisation by the Commission per article 45 GDPR.

A list of third countries that the Commission have deemed to have adequate levels of protection (as of when the GDPR came into force) include Andorra, Argentine, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (only if the organisation receiving the data belongs to the privacy shield).

But BEWARE: ensure an adequate level of data protection

Article 35 gives the Commission the power to revoke a third country or international organisation from its adequacy list if it deems that the third country or organisation no longer ensures an adequate level of data protection. Therefore it is always advisable to check whether the third country or international organisation has been considered by the Commission as ‘adequate’.

What if the third country or organisation is not deemed adequate by the Commission?

If the Commission does not deem a third country or international organisation as having adequate data protection, a data transfer may still take place without specific authorisation – provided that there are appropriate safeguards. Therefore you need to implement one of the safeguards set out by article 46 GDPR. This includes (but is not limited to) a legally binding and enforceable instrument between public authorities, binding corporate rules and an approved code of conduct in accordance with the GDRP that is binding and legally enforceable.

Contractual clauses that have been authorised by the Dutch supervisory authority may also provide an adequate safeguard.

What if there are no safeguards to protect the personal data?

Article 49 GDPR outlines specific situations when personal data transfers can still be made if there are no safeguards present. These include (but are not limited to): explicit and fully informed consent of the data subject; the transfer is necessary for the performance of a contract between the organisation and the data subject or pre contractual measures taken at the data subject’s request; the transfer is necessary for the public interest and the transfer is a necessary part of a legal claim.

What if the transfer has no safeguards and does not fit into one of the specific categories?

Failing to meet any of the conditions to safeguard the transfer and to fit in one of the categories, an organisation may still be able to transfer the personal data to a third country or to an international organisation under very limited conditions. In any of these cases the competent supervisory authority must be informed of the transfer. These included non-repetitive cases where there is only a limited number of data subjects or it is necessary for the purposes of compelling legitimate interests that are not overridden by the interests or rights and freedoms of the data subject.

Conclusion of transferring personal data to a third country or international organisation

When it comes to transferring personal data to a third country or to an international organisation the most important question to ask is whether the third country or organisation is on the Commission’s adequate list. If that is not the case, then you must determine whether the third country or organisation has adequate safeguards, and whether the transfer falls within the specific categories set out by the GDPR.

GDPR lawyer Netherlands

Would you like to have any more information concerning the GDPR in the Netherlands? Does your organization transfer personal data to third countries? You can ask all your questions concerning the GDPR in the Netherlands to our GDPR lawyer in the Netherlands