Third-country transfers

On this page: data transfer, third-country transfer, sharing outside EU, EEA
Date of last review: 2023-08-18

When you want to share personal data with parties who are located outside of the European Economic Area (EEA), you need to take extra steps to make sure that the transfer is GDPR-compliant, such as:

• Assessing whether you can transfer the data at all using a Data Transfer Impact Assessment.
• Taking additional protective measures, such as Standard Contractual Clauses.
• Explicitly informing data subjects about the (possible) third-country transfer.
• … And possibly more.

What is a third-country transfer?

In legal terms, a transfer exists when personal data controlled by one party are accessible to another, irrespective of whether the data are physically sent to that party. An international/third-country transfer exists when the party that can potentially gain access is based in a country outside the European Economic Area (EEA) which does not have an adequacy decision from the European Commission.

There is a third-country transfer if personal data are stored at the servers of a non-EEA party, and when a cloud provider is used that has servers both in- and outside of the EEA.

There is no third-country transfer in the following cases:

• Personal data are stored at the university premises in the EEA, and are accessed from outside of the EEA by a researcher from that EEA university - this is not a transfer, provided that safeguards are in place to prevent other parties from gaining access.
• The party with whom the data are shared is already subject to the GDPR (e.g., the party is situated in Germany or Italy).

When is a third-country transfer possible?

GDPR Chapter V specifies all conditions under which an international transfer is allowed. The flowchart below indicates conditions that are most likely to apply to scientific research. Note that the flowchart assumes that you have taken sufficient safeguards to protect the personal data. To determine the possibilities of sharing data internationally in your project, we strongly advise you to consult with your privacy officer. In some cases a Data Transfer Impact Assessment may be required, which can take some effort.

---

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page | Privacy policy | Cite the Data Privacy Handbook