Here follows a general description of the legal requirements of transferring personal data to third countries for research.
Notwithstanding the possibility of transferring personal data to a third party, a personal data controller in Sweden must always comply with all the other requirements stipulated in the General Data Protection Act (GDPR). These include the basic requirements regarding the processing of personal data and the rules concerning when such processing is even permitted.
The personal data controller must therefore first determine whether the processing entailed in the transfer is even legal, and then if it is relevant to assess what is required for a transfer to a specific third country. This document only deals with the latter.
A transfer to a third country means that personal data processed in an EU or EEA country is made accessible in a country outside the EU/EEA. Third-country rules do not apply to transfers within the EU/EEA.
For this reason, GDPR stipulates that transfer may only take place under special circumstances. The possibilities for permitting the transfer of personal data being processed or intended to be processed in a third country can be divided into the following three groups:
The European Commission has analysed the data protection rules in various countries and determined that the level of protection is adequate in the following countries:
The European Commission has also determined that the level of protection is adequate in certain areas or under certain conditions in:
The Court of Justice for the European Union determined 2020 in a ruling (Schrems II judgement) that the primary data transfer agreement between the EU and United States commonly known as Privacy Shield is invalid. Privacy Shield can no longer be used to transfer personal data from the EU/EES to the US for whatever purpose. Negotiations is on going between US and EU for a new agreement.
Brexit: The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions (se above) come into effect, for up to six months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.
In the absence of a decision according to Article 45, personal data may be transferred to a country outside the EU / EEA if the legal entity transferring the data has taken appropriate protective measures, such as;
There must also be statutory rights and the possibility for the data subjects to complain about the processing of personal data and have it tried in court.
Binding Corporate Rules (BCR) are rules that a company group with companies in several different countries can develop to regulate their processing of personal data.
Binding company regulations must be approved by Datainspektionen or any other supervisory authority in the EU.
The Commission has published standard contractual clauses (SCC) on data protection which may be signed with the counterparty to make an authorized transfer of personal data. The purpose of the SCC is to provide sufficient guarantees that the individual’s rights will be protected in the transfer of personal data to countries that do not have adequate levels of protection. The EU is revising the SCC due to the Schrems II ruling (see above).
The SCC in itself does not give any guaranties for a high level of protection of the transferred personal data. The data controller has an obligation regardless of a SCC to make certain that the level of protection in the data receiving country has a legislative adequate level of protection for personal data, which includes amongst other, effective remedies for the registered to exercise transparency and control over their data, or put in place technical and organizational measures that make certain that the freedom and rights of European citizens whose data is transferred are not violated in the third country.
There are three options to choose from for standard contract clauses. Two of these apply to transfer to other data controllers in third countries. The third relates to the transfer of personal data to data processors in third countries.
It is also permissible to base a transfer of personal data to a third country on approved codes of conduct/certification mechanisms or through legally binding and enforceable instruments, if the transfer takes place between authorities. Such an instrument between authorities can be a memorandum of understanding or an information exchange agreement within, for example, the tax area.
If transfer to third countries cannot be done with the support of art. 45 (decision on adequate level of protection) or 46 (appropriate protective measures), transfer may take place within the framework of "case situations" as stated in Article 49.
Ultimately, the transfer of personal data to a country outside the EU / EEA is permitted if it;
When making such a balance of interests, the transfer must be necessary for purposes relating to the data controler’s mandatory and legitimate interests, and the controler shall weigh these against the interests, freedoms and rights of the data subject.
If the data subject's interests weigh heavier, the data controler is not allowed to transfer the personal data. The data controler must also make an assessment of all the circumstances surrounding the transfer, and then take appropriate measures to protect the personal data.
The data controller must inform both the data supervisory authority (in Sweden, Integritetsskyddsmyndigheten, IMY) and the data subjects about the transfer and about the mandatory legitimate interests that the controler wish to achieve.
Tack för att du hjälper oss!