For international trade and international cooperation , Data flows with countries outside the EU are indispensable , However, the increasing cross-border flow of data has also brought new challenges and concerns to personal data protection . When data flows between EU and non EU countries , It should also receive the same level of protection within the EU .GDPR Regulations , In any case , The transmission of data to third countries or international organizations must meet relevant regulations .

01 Definition of cross-border transmission

GDPR Special chapter V , Detailed description of the transmission rules of personal data to third countries or international organizations , That is, the well-known cross-border transmission of data （ It is generally believed “ third state third countries” Refers to a country that is not a party to the EU treaty ）.

2021 year 11 month , EU Data Protection Agency EDPB And passed 《Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR》, Through specific case studies to help member States better understand GDPR Cross border transmission rules , Solve the practical application problems in the process of law enforcement .

source ：EDPB

in general , Data transmission behavior can be recognized as... Only when the following three conditions are met at the same time GDPR What we say “ Cross border data transmission ”, Be short of one cannot ：

（1） Data Exporter （ A controller or handler ） Your processing activities are affected by GDPR Have jurisdiction over . Is it applicable to GDPR Referable GDPR A series of readings —— Scope of application .

（2） The Data Exporter provides the personal data under the data processing activity to the data receiver through transmission and other means . The data receiver includes the controller 、 Joint controller 、 Processor, etc , Their role depends on the division of labor in data processing activities .

（3）“ Data receiver ” Located in a third country or international organization , Whether or not the overseas receiving party is extraterritorial GDPR.

for example , Italian users A Shopping websites in Singapore B Go shopping , I submitted my phone number when submitting the order 、 Address 、 Personal data such as bank accounts . In this case , because A Your personal information is voluntarily submitted to the Singapore company B, Without going through any data exporter , Therefore, the data transmission behavior does not belong to cross-border transmission , Such data transmission does not need to be confirmed by any additional audit .

source ： Data law union

Then the subsidiaries located in the EU share the data with the parent company located in a third country , Whether it belongs to cross-border transmission ？ In this case , Subsidiaries are considered to be data controllers located in the EU , The parent company receiving the data is regarded as the data processor , Such data sharing behavior is also considered to comply with the provisions of cross-border data transmission , apply GDPR The situation in Chapter 5 .

A data transmission scenario is also common to Chinese enterprises . Chinese enterprises A There is no operating entity in the EU , The personal data collected are all non EU residents , therefore A Do not accept GDPR Jurisdiction of . But in business activities , Chinese enterprises A Give its data to EU enterprises B To deal with , EU enterprises B Then transfer the processed data to Chinese enterprises A. In this case , Because EU enterprises B Our data processing activities are affected by GDPR Have jurisdiction over , So send the data back to Chinese enterprises A It still belongs to cross-border data transmission .

02 What conditions need to be met for cross-border data transmission ？

GDPR Regulations , The transmission of personal data to non EU countries should be carried out under two specific conditions ： The transmission destination is recognized by the European Commission as sufficient （transfers on the basis of an adequacy decision）, perhaps , The data transmission behavior is properly guaranteed .

1.  Sufficiency determination

When the transmission destination has passed the adequacy determination of the European Commission , No additional authorization is required for EU countries to transmit data to them , comply with GDPR The general provisions on data transmission are sufficient . The following conditions are sufficient for the recognition of third countries or international organizations ：

（1） The rule of law , Respect for human rights and fundamental freedoms , Relevant legislation and law enforcement ;

（2） Whether the third country or the country where the international organization is located has an independent regulatory authority responsible for data protection ;

（3） International commitments concluded by third countries or international organizations 、 A legally binding convention or instrument 、 Join multilateral relations or regional systems related to data protection .

The European Commission will determine the adequacy according to the above standards , And review every four years , Countries that have been identified as sufficient will be in 《 Official gazette of the European Union 》 And published on the website of the European Commission . At present, the countries that have met the sufficiency recognition standards are ： Andorra 、 Guernsey 、 Jersey 、 Argentina 、 Israel 、 New Zealand 、 Canada 、 Isle of man 、 Switzerland 、 Faroe Islands 、 Japan and Uruguay .

source ：Privacy Study Groups

2.  Safeguards

After all, there are a few countries that have obtained the EU's Adequacy recognition . When the transmission destination is not fully recognized , However, it can provide appropriate measures to protect the rights and freedoms of data subjects , And the data subject can apply for legal relief , Then it is also allowed to transmit data to it . These safeguards include the following eight ：

（1） There are legally binding and enforceable instruments between public authorities or institutions .

（2） Binding enterprise rules .

（3） Standard data protection provisions adopted by the European Commission .

（4） Standard data protection provisions adopted by regulators and approved by the European Commission .

（5） Approved code of conduct , And binding and enforceable third country controllers / The commitment given by the processor to take appropriate safeguards and protect the rights of data subjects .

（6） Approved authentication mechanism , And binding and enforceable third country controllers / The commitment given by the processor to take appropriate safeguards and protect the rights of data subjects .

（7） Controller / The processor and the controller of a third country or international organization / handler / Terms of contract between recipients .

（8） Provisions added to administrative arrangements between public authorities or agencies , Including enforceable and valid data subject rights .

At present, the common safeguard for enterprise data transmission is restrictive enterprise rules （BCR） And standard contract terms （SCC）.

Binding enterprise rules are mainly applicable to the transmission of personal data by multiple organizations or multinational enterprises in their systems . Standard contract terms are considered to be the main route for EU personal data to leave the country , It is a clause approved by the European Commission , The enterprise shall not change at will . Most Chinese companies will choose to sign SCC As an effective guarantee for cross-border data transmission .

03 Special circumstances of cross-border transmission

If the transmission destination has not passed the adequacy determination of the European Commission , Nor can the safeguards mentioned above be taken , Only if the following conditions are met , Personal data can only be transmitted to third countries or international organizations ：

（1） The transmission is not repetitive .

（2） Only a limited number of data subjects are involved .

（3） It is really necessary for the controller to realize the convincing legitimate interests they demand , And these interests will not be rejected due to the rights and interests or power and freedom of the data subject .

（4） The controller has evaluated all conditions related to data transmission , According to this assessment, it provides appropriate guarantee for the protection of personal data .

in other words , When data transmission behavior is accidental 、 Necessary , Fewer data subjects are involved , And the data controller or processor has also taken appropriate protective measures to ensure data security , Such cross-border data transmission does not require additional permission .

04 Compliance advice

Considering the complexity of the actual transnational business , Sea going enterprises should pay special attention to the links involving the EU in the whole life cycle of data , Determine whether it is subject to GDPR Cross border transmission rule constraints . For those who do meet GDPR Business defined by cross-border transmission , Multinational corporations may consider adopting binding enterprise rules 、 Ordinary enterprises can adopt standard contract terms , Ensure that both parties of data transmission shall comply with .

2020 year 7 month , The European Court of justice made Schrems II After the ruling of the case , For standard contract terms （SCC） The legal effect of , Make it clear that both parties of data transmission should abide by the standard contract terms , It should also be verified whether there is corresponding legislation in the country where the transmission destination is located , Whether it can provide... For personal data transmitted to the country GDPR The degree of protection required . The ruling also invalidated the privacy shield agreement between the United States and the European Union , The data transmission business between many American Internet companies and the European Union has been greatly disturbed .GDPR The continuous updating of law enforcement cases also forces enterprises to continue to pay attention to their latest progress .