Skip to content

Legal Considerations When Handling the Personal Information of EU Citizens

Since the General Data Privacy Regulation (GPDR) came into effect in May 2018, businesses need to comply with strict rules on how they handle the personal information of citizens in the European Union (EU). One of the biggest changes to privacy law is how the GPDR regulates the transfer of personal information of EU citizens overseas. If you are an Australian business looking to target EU citizens or you are going to open an office in the EU, you need to understand the GPDR rules. This article will explain when you can legally transfer EU citizen data overseas.

What is the GDPR?

The GDPR is a set of laws from the EU that aims to protect individual privacy, specifically the use of personal information. As part of the changes in 2018, the GDPR introduced strict new rules on how they can handle customer data when transferred to a third party.

If the data is transferred to a third party within the EU, the third party must:

  • ensure any data processing is covered by a written legal contract;
  • promise to process personal data on the written instructions of the business transferring the data; and
  • help with any questions from the regulator.

However, under the GDPR, transferring personal data outside the EU is prohibited. Yet, many server providers such as Amazon Web Services are located outside of the EU. These companies rely on the daily transfer of data to a third party. Therefore, the GPDR has set out two exceptions for this transfer.

When Can Your Business Transfer EU Citizen Data Overseas?

A company can only send an EU citizen’s data to a company based outside the EU if:

  • there are appropriate safeguards for any misuse of data when the transfer takes place; or
  • the EU decides that a non-EU country is safe enough to receive EU citizens’ data (known as an adequacy decision).
Continue reading this article below the form
Loading form

1. Appropriate Safeguards

There are many different types of ‘appropriate safeguards’. For example, an appropriate safeguard can be:

  • corporate rules committing an organisation to good privacy practices;
  • agreeing to the ‘EU standard contractual clauses’; or
  • allowing the EU citizen to take action against the culprit if their data was misused during the transfer.

The Standard Clauses

The EU’s standard contractual clauses (standard clauses) are contract clauses which set out rules for transferring data from an EU country to a non-EU country. The rules do not change (hence they are ‘standard’). For example, one of the rules requires that the recipient of the data has technical and security measures in place to safeguard the data. 

The standard clauses count as an ‘appropriate safeguard’ under the GDPR. The GDPR states that if a business transferring data and a business receiving data (based outside the EU) sign a contract based on the standard clauses, then the transfer can go ahead. This is because the standard clauses set out rules that make a transfer of data, and the processing of data, safe.

For example, the standard clauses state that the business processing personal data must:

  • co-operate with EU supervisory authorities;
  • put in place good security to protect personal data;
  • put in place processes and procedures to help the business transferring the data deal with any person’s request to exercise their data rights under the GDPR; and
  • delete personal data if the contract ends.

2. Adequacy Decision

The European Commission has the power to decide a non-EU country is safe enough to receive EU citizens’ data. This is known as an adequacy decision. The European Commission makes its decision based on factors such as:

  • the rules in that country;
  • whether the country has an independent supervisory authority looking out for the privacy rights of its citizens; 
  • any international commitments to privacy; and
  • whether the country has a serious enough commitment to privacy to not need any other intervention.

For example, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Switzerland, Uruguay and New Zealand are on this list.

The EU-US Privacy Shield Framework

Besides adequacy decisions, there are also agreements between the EU and certain non-EU countries, such as the EU-US Privacy Shield Framework introduced in 2016. This is another way that the EU can determine that a non-EU country is safe enough to receive data.

The framework functions to enable data transfers to companies based in the US, with few restrictions. However not every company is allowed to receive a transfer of data from the EU. Only companies that have met the requirements of the framework can join. It’s a self-certification process and any company that wants to receive data needs to:

  • develop a privacy policy that complies with the framework;
  • have a way to investigate privacy complaints;
  • pay a joining fee;
  • have a designated privacy contact; and
  • meet the other requirements set out in the framework.

If a US company successfully meets all the requirements needed to join the framework, then EU companies that want to transfer data to the US company do not need to worry about whether the US company agrees to the standard clauses.

Key Takeaways

If you’re an Australian business and you handle EU citizens’ personal data, then it is important to remember:

  • you likely need to comply with the GDPR;
  • if a business in a non-EU company helps you deal with EU citizens’ data, then there must be appropriate safeguards in place to protect data (this includes having the recipient company agreeing to the standard clauses); and
  • the country in which the company is based is subject to an adequacy decision and the most common example of these is the framework.

If you have any questions about complying with the GDPR, you can contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Chloe Sevil

Chloe Sevil

Read all articles by Chloe

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards