Transfer of personal data to third country or international organizations

GDPR imposes increased restrictions on the transfer of personal data outside of EU/EEA and to international organizations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined when personal data gets transfered. When personal data becomes available to anyone in a country outside of the EU/EEA it counts as a third country transfer

EU countries: Belgium, Bulgaria, Cyprus, Denmark, Estonia, Finland, France, Greece, Ireland, Italy, Croatia, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, United Kingdom, Sweden, Czech Republic, Germany, Hungary and Austria.

EEA countries: Iceland, Liechtenstein and Norway

Examples of third country transfers:

  • When a document containing personal data is sent by e-mail to someone in a third country.
  • When KI hires a processor that process personal data in a third country.
  • When someone outside of EU/EEA has access, such as reading permission, to personal data stored in the EU/EEA.
  • When personal data is stored in a cloud service based outside of EU/EEA.
  • When personal data is stored, for example, on a server, in a third country.

Conditions for transfer to a third country:

Personal data may only be transferred to a third country in compliance with some of the conditions set out in GDPR, given that the all of the other requirements in GDPR are met. A third country can be made in if:

  1. The country has an adequate level of protection for personal data according to the EU Commission
  2. There are appropriate safeguards in place, such as binding corporate rules (BCR), standard contractual clauses (SCC) approved by the EU Commission, an approval with code of conducts or by approved certification mechanism
  3. Specific situations and occasional cases, see detailed information of these situations below.

Before a transfer to a third country, the needs of the transfer should be considered and analyzed, there might be other solutions to avoid the transfer. There are tough restrictions for the transfer and the risks for the data subject are high, therefore the risks that could arise from the transfer shall always be analyzed carefully.

Specific situations and occasional cases where a transfer to a third country may be permitted:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks that could arise for the data subject due to the absence of an adequacy decision and appropriate safeguards
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
  • the transfer is necessary for important reasons of public interest
  • the transfer is necessary for the establishment, exercise or defense of legal claims
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent
  • the transfer is made from a register which according to European Union or Swedish law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by the European Union or Swedish law for consultation are fulfilled in the particular case.

If you are unsure about a transfer to someone outside of Sweden, or if you have questions about transfer to a third country, contact dataskyddsombud@ki.se