This website use cookies Accept

Subscribe to our exclusive weekly newsletter

Join our mailing list and receive every week our news and tips into your mailbox!

GDPR Data Transfers and Binding Corporate Rules

As the GDPR law not only effects data protection and transfers within the European Union, it is important to know about how to remain GDPR-complaint when transferring data outside the European Economic Area.

Data Transfer from EU to 3rd Party Countries

December 1, 2017

One of the data protection challenges that the GDPR law poses for organisations is the compliant transferring of data to countries outside the European Economic Area. The law does permit personal data transfers to what are known as third-party countries and international organisations, but there are various things to ensure first.
Every non-compliant data transfer that your organisation makes could result in a fine of up to 4% of global annual turnover – a serious punishment worth avoiding – so we’ve looked into what sort of restrictions and allowances will come into effect when the GDPR becomes law in May 2018.
For a data transfer to a third-party country to take place, Article 45 of the EU data protection regulation requires that the third-party country in question be considered (by the European Commission) to have adequate personal data protection measures in place. But there are a few circumstantial exceptions to this rule.

Binding Corporate Rules

‘BCRs’ permit the transfer of data within a multinational corporation, provided that the rules fulfil the outlined conditions and requirements.
Article 46 stipulates the conditions under which ‘binding corporate rules’ (BCRs) may be approved by a supervisory authority if they are ‘in accordance with the consistency mechanism set out in Article 63’.


There are various derogations for third party transfers that relieve the requirement for specific authorisation of supervisory authority that are outlined in Article 47. For instance, a ‘legally binding and enforceable instrument between public authorities or bodies’ can provide the correct safeguards for a legal third-party GDPR data transfer.
Some of the more specific exemptions include:

  • If the data subject is aware of the risks and explicitly consents to the data transfer. It is important to note that ‘Explicit consent’ is not ‘unambiguous consent’ – explicit consent “must specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer” (Directive 95/46/EC of the European Parliament).
  • If the transfer is deemed necessary for reasons of public interest
  • If the transfer is necessary to protect the vital interests of the data subject
  • If the transfer is necessary to fulfil or exercise a legal claim
  • If the transfer is necessary to conclude or fulfil the performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
  • If the transfer that is intended to provide information to the public and which is open to consultation either by the public or any person who can demonstrate legitimate interest – according to the Union or Member State law.


[democracy id=”3″]

Codes of conduct

If a code of conduct of an association or representative body is to be used to demonstrate compliance, it must first be approved by the appropriate supervisory authorities. It’s advisable for organisations who are considering this method of compliance to get a head-start and find (or create) a representative body or association to develop a code of conduct for later approval.
Codes of conduct that only effect a single member state must be submitted to the country’s appropriate supervisory authority for feedback and possible modification or elaboration.

Codes of conduct that cover data processing in numerous member states need to be submitted to the EDPB – The European Data Protection Board – for prior comment or elaboration before being sent to the European Commission for approval.


Eureka means “I found it!” and was the phrase that exclaimed Archimedes after discovering that the volume of water that ascends is equal to the volume of the submerged body. It is about problem solving, learning, and discovery. So that is precisely the purpose of this website: to understand, to learn. A tribute to our ancient history. From Europe to the world.