GDPR: What do I need to think about when transferring personal data to third countries or international organisations?

If you collaborate with researchers, partners or institutions located in another country, within or outside the EU, in your research, you must pay attention when making personal data accessible, forwarding or exchanging. This also applies when you use processors or subcontractors, for example when you are using websurveys hosted by platforms such as Qualtrics (processor based in the USA). Moreover, this does not only apply to collaborations, but also to the mere transfer of personal data.

Transfer of personal data to another country within the EU, Norway, Iceland or Liechtenstein (EEA)

The GDPR ensures uniformity of privacy policy within the EU allowing for the free movement of personal data within the EEA (28 EU member states + Norway, Iceland, Liechtenstein). If you collaborate or want to exchange personal data with researchers, partners or institutions located within the EU, Norway, Iceland or Liechtenstein you only need a processing agreement to correctly record the access, transfer or exchange of personal data. You can contact the legal support office of TechTransfer for drawing up a data processing agreement.

In addition to drawing up a data processing agreement, you must always respect the general principles of the GDPR (including lawfulness, see below 'general considerations').

Transfer of personal data to a country outside the EEA or to international organisations

Transfer of personal data to countries outside the EEA or international organisations is only allowed if the country or organisation in question can guarantee an “adequate level of protection” for the processing of personal data.

1. Transfer of personal data to countries outside the EEA for which an adequacy decision applies

The European Commission has already issued an adequacy decision to a number of countries confirming that the country has an adequate level of protection. The most recent list of countries can be found here.

For the United Kingdom, an adequacy decision was adopted by the European Commission on 28 June 2021. This decision is expected to last until 27 June 2025. This means that you can exchange personal data with the UK until 27 Junie 2025. Nevertheless, the general principles of the GDPR must always be respected (such as such as respect for lawfulness, compatibility of the transfer with the original processing, notification to data subjects).

For the United States, an adequacy decision (the EU-US Data Privacy Framework) was adopted by the European Commission on 10 July 2023 for US' companies participating in the EU-US Data Privacy Framework. This means that data can flow freely to US companies participating in the Data Privacy Framework. A list of companies participating in the Data Privacy Framework can be found here. Nevertheless, the general principles of the GDPR (such as respect for lawfulness, compatibility of the transfer with the original processing, notification to data subjects) must always be respected.

Transfer of research data relating to pharmaceutical and medical products is subject to additional conditions.

Attention! Any transfer or forwarding of personal data must always be laid down contractually, for example in a data processing agreement. You can contact the legal support office of TechTransfer for this.

2. Transfer of personal data to countries outside the EEA for which NO adequacy decision applies

If a country is not on the list of adequacy decisions, the transfer of personal data is only possible in one of the following cases:

  • The use of standard data protection clauses in an agreement / contract between your own institution / organisation and the receiving institution / organisation (also referred to as 'standard contractual clauses'). These clauses enable a transfer to a country or organisation by providing appropriate protection through a contract.
  • It concerns an exceptional situation that must be justified exhaustively as listed in the GDPR itself (Article 49 of the GDPR). Such as requesting explicit consent from the data subjects for the incidental transfer of data. The data subjects must also be informed of the risks this transfer possibly may entail for them.

For transfers to companies in the United States that do not participate in the Data Privacy Framework, transfer from Ghent University can currently only take place by invoking standard contractual clauses or the use of the exceptions of Article 49 of the GDPR (not for structural transfers). In addition, following the Schrems II case, specific additional measures need to be available for transfers of personal data to the US. Which additional measures are possible, the European Data Protection Board described in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (such as encryption and pseudonymisation).

Again, the general principles of the GDPR should always be respected (such as respect for lawfulness, compatibility of the transfer with the original processing, notification to data subjects).

Attention! Any transfer or forwarding of personal data must always be laid down contractually, for example in a data processing agreement. You can contact the legal support office of TechTransfer for this.

It is important to make a self-assessment of the possible risks for the data subjects, taking into account both the nature of the personal data, and also the safeguards of the organisation and the existing privacy legislation in the country.

General considerations

  • Always ensure secure transmission (e.g. via Belnet FileSender, encrypted, etc.).
  • There can be only one legal ground per data transfer (lawfulness).
  • The legal ground for data transfer must be one of the following:
    • The individuals participating in the study have freely given their explicit informed consent to the data transfer.
    • The data transfer takes place in the public interest, which means that it leads to an increase of knowledge and understanding for the benefit of society, directly or indirectly.
    • The data transfer is necessary for the legitimate interests of UGent or UZ Gent, but does not entail major risks for the individuals participating in the study.
    • The data transfer is necessary for the performance of an agreement with the person whose data is being processed (note: this is not about the processor agreement).
    • The transfer of personal data is necessary in the context of a legal obligation of Ghent University.
 

More tips

Translated tip


Last modified Aug. 28, 2024, 9:40 a.m.