Transfer of personal data to third countries for research

Here follows a general description of the legal requirements of transferring personal data to third countries for research.

Notwithstanding the possibility of transferring personal data to a third party, a personal data controller in Sweden must always comply with all the other requirements stipulated in the General Data Protection Act (GDPR). These include the basic requirements regarding the processing of personal data and the rules concerning when such processing is even permitted.

The personal data controller must therefore first determine whether the processing entailed in the transfer is even legal, and then if it is relevant to assess what is required for a transfer to a specific third country. This document only deals with the latter.

General rule

A transfer to a third country means that personal data processed in an EU or EEA country is made accessible in a country outside the EU/EEA. Third-country rules do not apply to transfers within the EU/EEA.

For this reason, GDPR stipulates that transfer may only take place under special circumstances. The possibilities for permitting the transfer of personal data being processed or intended to be processed in a third country can be divided into the following three groups:

1. The EU Commission has decided that the third country will ensure an adequate level of protection (Article 45).
2. The person processing the personal data has taken appropriate safeguards prior to the transfer and there are statutory rights and effective remedies for data subjects (Article 46).
3. Or there is an exception applicable under the first paragraph of Article 49 of GDPR (derogations for special situations), provided that transfer cannot take place in accordance with a and b above.

Adequate level of protection

The European Commission has analysed the data protection rules in various countries and determined that the level of protection is adequate in the following countries:

• Argentina
• Andorra
• Bailiwick of Guernsey
• The Faeroe Islands
• Isle of Man
• Israel
• Japan
• Jersey
• New Zeeland
• Switzerland
• Uruguay

The European Commission has also determined that the level of protection is adequate in certain areas or under certain conditions in:

• Canada: if their legislation for the protection of personal data in the private sector is applicable to the recipient’s processing of personal data.
• The United States: if the recipient (company) has itself considered that it meets the legal certainty guarantees set out in the EU-US agreement commonly referred to as Privacy Shield.

In the absence of a decision according to Article 45, personal data may be transferred to a country outside the EU / EEA if the legal entity transferring the data has taken appropriate protective measures, such as;

• A legally binding and enforceable instrument between public authorities or bodies
• Binding corporate rules in accordance with Article 47;
• Standard data protection clauses adopted by the EU Commission in accordance with the examination procedure referred to in Article 93(2);
• Standard data protection clauses adopted by a supervisory authority and approved by the EU Commission pursuant to the examination procedure referred to in Article 93(2);
• An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
• An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

There must also be statutory rights and the possibility for the data subjects to complain about the processing of personal data and have it tried in court.

Binding Corporate Rules (BCR) are rules that a company group with companies in several different countries can develop to regulate their processing of personal data.
Binding company regulations must be approved by Datainspektionen or any other supervisory authority in the EU.

The Commission has published standard contractual clauses (SCC) on data protection which may be signed with the counterparty to make an authorized transfer of personal data. The purpose of the contractual clauses is to provide sufficient guarantees that the individual’s rights will be protected in the transfer of personal data to countries that do not have adequate levels of protection.

There are three options to choose from for standard contract clauses. Two of these apply to transfer to other data controllers in third countries. The third relates to the transfer of personal data to data processors in third countries.

It is also permissible to base a transfer of personal data to a third country on approved codes of conduct/certification mechanisms or through legally binding and enforceable instruments, if the transfer takes place between authorities. Such an instrument between authorities can be a memorandum of understanding or an information exchange agreement within, for example, the tax area.

Derogations for special situations

If transfer to third countries cannot be done with the support of art. 45 (decision on adequate level of protection) or 46 (appropriate protective measures), transfer may take place within the framework of "case situations" as stated in Article 49.

1. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
2. The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
4. The transfer is necessary for important reasons of public interest;
5. The transfer is necessary for the establishment, exercise or defence of legal claims;
6. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
7. The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Ultimately, the transfer of personal data to a country outside the EU / EEA is permitted if it;

• Only takes place on a single occasion
• Applies to a limited number of registered
• Takes place after a balance of interests

When making such a balance of interests, the transfer must be necessary for purposes relating to the data controler’s mandatory and legitimate interests, and the controler shall weigh these against the interests, freedoms and rights of the data subject.

If the data subject's interests weigh heavier, the data controler is not allowed to transfer the personal data. The data controler must also make an assessment of all the circumstances surrounding the transfer, and then take appropriate measures to protect the personal data.

The data controller must inform both the data supervisory authority (in Sweden, Datainspektionen) and the data subjects about the transfer and about the mandatory legitimate interests that the controler wish to achieve