Third-country transfers

On this page: data transfer, third-country transfer, sharing outside EU, EEA
Date of last review: 2023-08-18

When you want to share personal data with parties who are located outside of the European Economic Area (EEA), you need to take extra steps to make sure that the transfer is GDPR-compliant, such as:

What is a third-country transfer?

In legal terms, a transfer exists when personal data controlled by one party are accessible to another, irrespective of whether the data are physically sent to that party. An international/third-country transfer exists when the party that can potentially gain access is based in a country outside the European Economic Area (EEA) which does not have an adequacy decision from the European Commission.

There is a third-country transfer if personal data are stored at the servers of a non-EEA party, and when a cloud provider is used that has servers both in- and outside of the EEA.

There is no third-country transfer in the following cases:

  • Personal data are stored at the university premises in the EEA, and are accessed from outside of the EEA by a researcher from that EEA university - this is not a transfer, provided that safeguards are in place to prevent other parties from gaining access.
  • The party with whom the data are shared is already subject to the GDPR (e.g., the party is situated in Germany or Italy).

When is a third-country transfer possible?

GDPR Chapter V specifies all conditions under which an international transfer is allowed. The flowchart below indicates conditions that are most likely to apply to scientific research. Note that the flowchart assumes that you have taken sufficient safeguards to protect the personal data. To determine the possibilities of sharing data internationally in your project, we strongly advise you to consult with your privacy officer. In some cases a Data Transfer Impact Assessment may be required, which can take some effort.

Flowchart about 
international data transfers. If you are transferring data to countries 
within the European Economic Area, no additional measures are required. If 
you however transfer data outside of the European Economic Area, we 
recommend to contact your faculty privacy officer to take the proper 
measures.