Here follows a general description of the legal requirements of transferring personal data to third countries for research.
Notwithstanding the possibility of transferring personal data to a third party, a personal data controller in Sweden must always comply with all the other requirements stipulated in the General Data Protection Act (GDPR). These include the basic requirements regarding the processing of personal data and the rules concerning when such processing is even permitted.
The personal data controller must therefore first determine whether the processing entailed in the transfer is even legal, and then if it is relevant to assess what is required for a transfer to a specific third country. This document only deals with the latter.
A transfer to a third country means that personal data processed in an EU or EEA country is made accessible in a country outside the EU/EEA. Third-country rules do not apply to transfers within the EU/EEA.
For this reason, GDPR stipulates that transfer may only take place under special circumstances. The possibilities for permitting the transfer of personal data being processed or intended to be processed in a third country can be divided into the following three groups:
The European Commission has analysed the data protection rules in various countries and determined that the level of protection is adequate in the following countries:
The European Commission has also determined that the level of protection is adequate in certain areas or under certain conditions in:
In the absence of a decision according to Article 45, personal data may be transferred to a country outside the EU / EEA if the legal entity transferring the data has taken appropriate protective measures, such as;
There must also be statutory rights and the possibility for the data subjects to complain about the processing of personal data and have it tried in court.
Binding Corporate Rules (BCR) are rules that a company group with companies in several different countries can develop to regulate their processing of personal data.
Binding company regulations must be approved by Datainspektionen or any other supervisory authority in the EU.
The Commission has published standard contractual clauses (SCC) on data protection which may be signed with the counterparty to make an authorized transfer of personal data. The purpose of the contractual clauses is to provide sufficient guarantees that the individual’s rights will be protected in the transfer of personal data to countries that do not have adequate levels of protection.
There are three options to choose from for standard contract clauses. Two of these apply to transfer to other data controllers in third countries. The third relates to the transfer of personal data to data processors in third countries.
It is also permissible to base a transfer of personal data to a third country on approved codes of conduct/certification mechanisms or through legally binding and enforceable instruments, if the transfer takes place between authorities. Such an instrument between authorities can be a memorandum of understanding or an information exchange agreement within, for example, the tax area.
If transfer to third countries cannot be done with the support of art. 45 (decision on adequate level of protection) or 46 (appropriate protective measures), transfer may take place within the framework of "case situations" as stated in Article 49.
Ultimately, the transfer of personal data to a country outside the EU / EEA is permitted if it;
When making such a balance of interests, the transfer must be necessary for purposes relating to the data controler’s mandatory and legitimate interests, and the controler shall weigh these against the interests, freedoms and rights of the data subject.
If the data subject's interests weigh heavier, the data controler is not allowed to transfer the personal data. The data controler must also make an assessment of all the circumstances surrounding the transfer, and then take appropriate measures to protect the personal data.
The data controller must inform both the data supervisory authority (in Sweden, Datainspektionen) and the data subjects about the transfer and about the mandatory legitimate interests that the controler wish to achieve
Tack för att du hjälper oss!