GDPR: What do I need to think about when transferring personal data to third countries or international organisations?

If you collaborate with researchers, partners or institutions located in another country, within or outside the EU, in your research, you must pay attention when making personal data accessible, forwarding or exchanging. This also applies when you use processors or subcontractors, such as Qualtrics (processor based in the USA). Moreover, this does not only apply to collaborations, but also to the mere transfer of personal data.

Transfer of personal data to another country within the EU, Norway, Iceland or Liechtenstein (EEA)

The GDPR ensures uniformity of privacy policy within the EU allowing for the free movement of personal data within the EEA (28 EU member states + Norway, Iceland, Liechtenstein). If you collaborate with researchers, partners or institutions located within the EU, Norway, Iceland or Liechtenstein, or want to exchange personal data, you only need a processing agreement to correctly record the access, transfer or exchange of personal data. You can contact contracts@ugent.be for drawing up a processor agreement.

Transfer of personal data to a country outside the EEA or to international organisations

Transfer of personal data to countries outside the EEA or international organisations is only allowed if the country or organisation in question can guarantee an “adequate level of protection” for the processing of personal data.

1. Transfer of personal data to countries outside the EEA for which an adequacy decision applies

The European Commission has already issued an adequacy decision to a number of countries confirming that the country has an adequate level of protection. The most recent list of countries can be found here.

However, the transfer or forwarding must be contractually recorded in a processing agreement. You can contact contracts@ugent.be for drawing up a processor agreement.

2. Transfer of personal data to countries outside the EEA for which NO adequacy decision applies

If a country is not on the list of adequacy decisions, the transfer of personal data is only possible in one of the following cases:

  • The use of standard data protection clauses in an agreement / contract between your own institution / organisation and the receiving institution / organisation (see FAQ x)
  • This is an exceptional situation (Article 49 of the GDPR).
  • The explicit consent from the data subjects for the occasional transfer of data. The data subjects must also be informed of the risks that this transfer may entail for them.

However, the transfer or forwarding must be contractually recorded in a processing agreement. You can contact contracts@ugent.be for drawing up a processor agreement.

It is important to make a self-assessment of the possible risks for the data subjects, taking into account both the nature of the personal data, and also the safeguards of the organisation and the existing privacy legislation in the country.

General considerations

  • Always ensure secure transmission (e.g. via Belnet FileSender, encrypted, etc.).
  • There can be only one legal ground per data transfer.
  • The legal ground for data transfer must be one of the following:
    • The individuals participating in the study have freely given their explicit informed consent to the data transfer.
    • The data transfer takes place in the public interest, which means that it leads to an increase of knowledge and understanding for the benefit of society, directly or indirectly.
    • The data transfer is necessary for the legitimate interests of UGent or UZ Gent, but does not entail major risks for the individuals participating in the study.
    • The data transfer is necessary for the performance of an agreement with the person whose data is being processed (note: this is not about the processor agreement).
    • The transfer of personal data is necessary in the context of a legal obligation of Ghent University.

More tips

Translated tip


Last modified Oct. 29, 2020, 10:30 a.m.