Overview
This article allows personal data transfers to third countries or international organizations without an adequacy decision, provided that appropriate safeguards are in place. Safeguards ensure enforceable data subject rights and access to legal remedies, and may include binding corporate rules, standard contractual clauses, approved codes of conduct, or certifications. Supervisory authorities oversee these safeguards where necessary.
Key Principles
Enforceable Safeguards: Transfers must guarantee protection of data subject rights.
Legal Remedies: Individuals must have mechanisms to exercise their rights and seek redress.
Transfer Mechanisms: Acceptable safeguards include binding corporate rules, standard clauses, approved codes, or certifications.
Supervisory Oversight: Authorities may review and approve safeguards for compliance.
Organizational Applicability
This article applies to all organizations transferring personal data outside the EU without an adequacy decision:
Controllers and processors managing EU/EEA personal data.
Public and private sector entities engaged in cross-border data transfers lacking adequacy recognition.
Teams responsible for compliance, international data flows, and governance.
Implementation Requirements
Implement appropriate safeguards prior to transferring data internationally.
Ensure safeguards provide enforceable data subject rights and legal remedies.
Document the transfer mechanisms and safeguards in use.
Obtain approval from or coordinate with supervisory authorities if required.
Implementation Guidance
Use standard contractual clauses or binding corporate rules for international data transfers.
Leverage approved codes of conduct or certification mechanisms to demonstrate compliance.
Train staff on managing cross-border transfers under appropriate safeguards.
Review and update safeguards regularly to ensure continued compliance.
Periodic Review
Frequency: Annually or when transfer mechanisms, recipients, or regulations change.
Responsible Role: Data Protection Officer (DPO), Compliance Team, or Legal.
Outcome: Ensure international transfers remain safeguarded and data subject rights are enforceable.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Enforcement actions for transferring data without valid safeguards.
Reputational Damage: Loss of trust due to non-compliant international data handling.
Operational Risk: Inadequate safeguards may result in regulatory scrutiny or blocked transfers.