Privacy

(International) transfer of personal data

Do you exchange personal data with other parties and do you know what requirements this transfer must meet? Even internationally?

More than ever, personal data is being shared with other parties. This can be on a national or international level. This requires well-considered consideration based on thorough knowledge of the legal rules. The responsible sharing of personal data within collaborations or otherwise also requires good agreements. This is required by law and necessary for proper risk allocation.

Transfer outside EU

Special attention needs to be paid to the transfer of personal data to countries where the rules are less strict than in the Netherlands or the other EU countries (e.g. in the context of outsourcing services to a low-wage country). In accordance with the General Data Protection Regulation, transfer of personal data within the EU is in principle not a problem. Transfer outside the EU is only lawful if appropriate safeguards are in place, such as the conclusion of EU Standard Contractual Clauses, Binding Corporate Rules and the Privacy Shield introduced in the United States.

We are happy to advise you in making and recording agreements with parties with whom you share personal data. Naturally, we can also draft, review or amend contract texts for you and, if you wish, conduct the negotiations for you.

We translate strategic choices into operational contracts. You can think of, for example:
  • processor agreements
  • outsourcing contracts
  • cloud agreements
  • privacy policies
  • cooperation agreements
  • cooperation protocols
  • contracts for international transmission

Challenges in international data transfers

The international transfer of personal data, especially outside the EEA, involves significant risks and complexities due to the stringent requirements of the AVG. Regulatory compliance is essential to avoid sanctions and maintain the trust of customers and partners.

Legal mechanisms for data transfer

It is crucial to use legitimate data transfer mechanisms such as adequacy decisions, standard contractual clauses (SCCs), or binding corporate rules (BCRs) for intra-group transfers. These tools help ensure an adequate level of protection for personal data in transfers.

Entrepreneurs and international transmission

For business owners looking to transfer personal data internationally, strict compliance with the AVG is essential. This means implementing valid transfer mechanisms, monitoring data flows, and being prepared for potential data leaks or breaches.

Documentation on international transmission

Properly documenting all aspects of international data transfers is not only a requirement of the AVG, but it also allows your organization to demonstrate accountability and compliance. Here is an overview of essential documentation you should keep:
  • 1. Legitimate mechanisms for transfers:
    Document what mechanisms you use for each transfer, such as adequacy decisions, standard contractual clauses (SCCs), or binding corporate rules (BCRs). Ensure that copies of relevant contracts or agreements are easily accessible.
  • 2. Data Protection Impact Assessments (DPIAs):
    Conduct DPIAs for transfers likely to pose a high risk to the rights and freedoms of natural persons and document the findings and measures taken to mitigate any risks.
  • 3. Overview of Transfers:
    Keep detailed records of all international transfers of personal data, including information on the nature of the data, the purpose of the transfer, the receiving party and country, and the data protection measures applied.
  • 4. Consents:
    If the transfer is based on the data subject's consent, document how, when, and in what context that consent was obtained, and how a data subject can withdraw consent.
  • 5. Breach notifications:
    In the event of a data breach during the transfer, document the details of the breach, the effects, individuals affected, measures taken to address the breach, and all communications with supervisory authorities and data subjects.
  • 6. Reviews of third parties:
    If you transfer data to third parties, make sure you have documented reviews of their data protection practices and assurances, and keep a record of all third parties to which you transfer data.

/

FAQ