According to the GDPR, data can only be disclosed outside the European Economic Area in the following cases:
to specific countries, territories or sectors (the GDPR also includes international organisations) for which the European Commission has decided that they offer an adequate level of protection.
When adequate guarantees have been offered about the protection that the data will receive at its destination, by means of:
- A legally binding and enforceable instrument between public authorities or bodies.
Binding corporate rules (BCR).
Standard data protection clauses adopted by the European Commission or by the Catalan Data Protection Authority.
The authorisation of the Catalan Data Protection Authority, on the basis of:
- Contractual clauses.
Provisions that are incorporated into binding agreements between public bodies that include enforceable rights.
- Un codi de conducta que incorpori compromisos vinculants i exigibles.
- Un mecanisme de certificació que incorpori compromisos vinculants i exigibles.
- When any of the exceptions apply that are provided for in Article 49 of the GDPR that allow for the transfer of data without the guarantee of appropriate safeguards, for reasons of necessity linked to the interest of the data subject or to general interests.
The GDPR envisages that each Member State shall entrust supervision over application of the GDPR to one or more independent supervisory authorities. Thus, it expressly provides for the possibility that there may be several data protection authorities in the same state.
In accordance with the GDPR, the Catalan Data Protection Authority is the competent supervisory authority for international transfers involving the entities included within the scope of action of said Authority, given that in those states where there is more than one authority, each authority shall carry out all the functions established in Article 57, including those provided for under letter r on international transfers.
The judgement of the Court of Justice of the European Union of 16 July 2020 annulled EU Decision 2016/1250 of 12 July 2016, approving the Privacy Shield. Therefore, from this date, international data transfers to companies affiliated to the Privacy Shield must be based on any other of the instruments provided for in the GDPR.
For more details on the effects of this ruling on the Privacy Shield, and also on the effects it may have on other instruments for making international transfers of personal data, you can refer to the Frequently Asked Questions published by the European Data Protection Board.