Transfer of personal data to third countries for research

Here follows a general description of the legal requirements of transferring personal data to third countries for research.

Notwithstanding the possibility of transferring personal data to a third party, a personal data controller in Sweden must always comply with all the other requirements stipulated in the General Data Protection Act (GDPR). These include the basic requirements regarding the processing of personal data and the rules concerning when such processing is even permitted.

The personal data controller must therefore first determine whether the processing entailed in the transfer is even legal, and then if it is relevant to assess what is required for a transfer to a specific third country. This document only deals with the latter.

General rule

A transfer to a third country means that personal data processed in an EU or EEA country is made accessible in a country outside the EU/EEA. Third-country rules do not apply to transfers within the EU/EEA.

For this reason, GDPR stipulates that transfer may only take place under special circumstances. The possibilities for permitting the transfer of personal data being processed or intended to be processed in a third country can be divided into the following three groups:

1. The EU Commission has decided that the third country will ensure an adequate level of protection (Article 45).
2. The person processing the personal data has taken appropriate safeguards prior to the transfer and there are statutory rights and effective remedies for data subjects (Article 46).
3. Or there is an exception applicable under the first paragraph of Article 49 of GDPR (derogations for special situations), provided that transfer cannot take place in accordance with a and b above.

Adequate level of protection

The European Commission has analysed the data protection rules in various countries and determined that the level of protection is adequate in the following countries:

• Argentina
• Andorra
• Bailiwick of Guernsey
• The Faeroe Islands
• Isle of Man
• Israel
• Japan
• Jersey
• New Zeeland
• Switzerland
• Uruguay

The European Commission has also determined that the level of protection is adequate in certain areas or under certain conditions in:

• Canada: if their legislation for the protection of personal data in the private sector is applicable to the recipient’s processing of personal data.

The Court of Justice for the European Union determined 2020 in a ruling (Schrems II judgement) that the primary data transfer agreement between the EU and United States commonly known as Privacy Shield is invalid. Privacy Shield can no longer be used to transfer personal data from the EU/EES to the US for whatever purpose. Negotiations is on going between US and EU for a new agreement.

Brexit: The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions (se above) come into effect, for up to six months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.

In the absence of a decision according to Article 45, personal data may be transferred to a country outside the EU / EEA if the legal entity transferring the data has taken appropriate protective measures, such as;

• A legally binding and enforceable instrument between public authorities or bodies
• Binding corporate rules in accordance with Article 47;
• Standard data protection clauses adopted by the EU Commission in accordance with the examination procedure referred to in Article 93(2);
• Standard data protection clauses adopted by a supervisory authority and approved by the EU Commission pursuant to the examination procedure referred to in Article 93(2);
• An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
• An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

There must also be statutory rights and the possibility for the data subjects to complain about the processing of personal data and have it tried in court.

Binding Corporate Rules (BCR) are rules that a company group with companies in several different countries can develop to regulate their processing of personal data.
Binding company regulations must be approved by Datainspektionen or any other supervisory authority in the EU.

The Commission has published standard contractual clauses (SCC) on data protection which may be signed with the counterparty to make an authorized transfer of personal data. The purpose of the SCC is to provide sufficient guarantees that the individual’s rights will be protected in the transfer of personal data to countries that do not have adequate levels of protection. The EU is revising the SCC due to the Schrems II ruling (see above).

The SCC in itself does not give any guaranties for a high level of protection of the transferred personal data. The data controller has an obligation regardless of a SCC to make certain that the level of protection in the data receiving country has a legislative adequate level of protection for personal data, which includes amongst other, effective remedies for the registered to exercise transparency and control over their data, or put in place technical and organizational measures that make certain that the freedom and rights of European citizens whose data is transferred are not violated in the third country.

There are three options to choose from for standard contract clauses. Two of these apply to transfer to other data controllers in third countries. The third relates to the transfer of personal data to data processors in third countries.

It is also permissible to base a transfer of personal data to a third country on approved codes of conduct/certification mechanisms or through legally binding and enforceable instruments, if the transfer takes place between authorities. Such an instrument between authorities can be a memorandum of understanding or an information exchange agreement within, for example, the tax area.

Derogations for special situations

If transfer to third countries cannot be done with the support of art. 45 (decision on adequate level of protection) or 46 (appropriate protective measures), transfer may take place within the framework of "case situations" as stated in Article 49.

1. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
2. The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
4. The transfer is necessary for important reasons of public interest;
5. The transfer is necessary for the establishment, exercise or defence of legal claims;
6. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
7. The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Ultimately, the transfer of personal data to a country outside the EU / EEA is permitted if it;

• Only takes place on a single occasion
• Applies to a limited number of registered
• Takes place after a balance of interests

When making such a balance of interests, the transfer must be necessary for purposes relating to the data controler’s mandatory and legitimate interests, and the controler shall weigh these against the interests, freedoms and rights of the data subject.

If the data subject's interests weigh heavier, the data controler is not allowed to transfer the personal data. The data controler must also make an assessment of all the circumstances surrounding the transfer, and then take appropriate measures to protect the personal data.

The data controller must inform both the data supervisory authority (in Sweden, Integritetsskyddsmyndigheten, IMY) and the data subjects about the transfer and about the mandatory legitimate interests that the controler wish to achieve.