Since the General Data Privacy Regulation (GPDR) came into effect in May 2018, businesses need to comply with strict rules on how they handle the personal information of citizens in the European Union (EU). One of the biggest changes to privacy law is how the GPDR regulates the transfer of personal information of EU citizens overseas. If you are an Australian business looking to target EU citizens or you are going to open an office in the EU, you need to understand the GPDR rules. This article will explain when you can legally transfer EU citizen data overseas.

What is the GDPR?

The GDPR is a set of laws from the EU that aims to protect individual privacy, specifically the use of personal information. As part of the changes in 2018, the GDPR introduced strict new rules on how they can handle customer data when transferred to a third party.

If the data is transferred to a third party within the EU, the third party must:

  • ensure any data processing is covered by a written legal contract;
  • promise to process personal data on the written instructions of the business transferring the data; and
  • help with any questions from the regulator.

However, under the GDPR, transferring personal data outside the EU is prohibited. Yet, many server providers such as Amazon Web Services are located outside of the EU. These companies rely on the daily transfer of data to a third party. Therefore, the GPDR has set out two exceptions for this transfer.

When Can Your Business Transfer EU Citizen Data Overseas?

A company can only send an EU citizen’s data to a company based outside the EU if:

  • there are appropriate safeguards for any misuse of data when the transfer takes place; or
  • the EU decides that a non-EU country is safe enough to receive EU citizens’ data (known as an adequacy decision).

1. Appropriate Safeguards

There are many different types of ‘appropriate safeguards’. For example, an appropriate safeguard can be:

  • corporate rules committing an organisation to good privacy practices;
  • agreeing to the ‘EU standard contractual clauses’; or
  • allowing the EU citizen to take action against the culprit if their data was misused during the transfer.

The Standard Clauses

The EU’s standard contractual clauses (standard clauses) are contract clauses which set out rules for transferring data from an EU country to a non-EU country. The rules do not change (hence they are ‘standard’). For example, one of the rules requires that the recipient of the data has technical and security measures in place to safeguard the data. 

The standard clauses count as an ‘appropriate safeguard’ under the GDPR. The GDPR states that if a business transferring data and a business receiving data (based outside the EU) sign a contract based on the standard clauses, then the transfer can go ahead. This is because the standard clauses set out rules that make a transfer of data, and the processing of data, safe.

For example, the standard clauses state that the business processing personal data must:

  • co-operate with EU supervisory authorities;
  • put in place good security to protect personal data;
  • put in place processes and procedures to help the business transferring the data deal with any person’s request to exercise their data rights under the GDPR; and
  • delete personal data if the contract ends.

2. Adequacy Decision

The European Commission has the power to decide a non-EU country is safe enough to receive EU citizens’ data. This is known as an adequacy decision. The European Commission makes its decision based on factors such as:

  • the rules in that country;
  • whether the country has an independent supervisory authority looking out for the privacy rights of its citizens; 
  • any international commitments to privacy; and
  • whether the country has a serious enough commitment to privacy to not need any other intervention.

For example, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Switzerland, Uruguay and New Zealand are on this list.

The EU-US Privacy Shield Framework

Besides adequacy decisions, there are also agreements between the EU and certain non-EU countries, such as the EU-US Privacy Shield Framework introduced in 2016. This is another way that the EU can determine that a non-EU country is safe enough to receive data.

The framework functions to enable data transfers to companies based in the US, with few restrictions. However not every company is allowed to receive a transfer of data from the EU. Only companies that have met the requirements of the framework can join. It’s a self-certification process and any company that wants to receive data needs to:

  • develop a privacy policy that complies with the framework;
  • have a way to investigate privacy complaints;
  • pay a joining fee;
  • have a designated privacy contact; and
  • meet the other requirements set out in the framework.

If a US company successfully meets all the requirements needed to join the framework, then EU companies that want to transfer data to the US company do not need to worry about whether the US company agrees to the standard clauses.

Key Takeaways

If you’re an Australian business and you handle EU citizens’ personal data, then it is important to remember:

  • you likely need to comply with the GDPR;
  • if a business in a non-EU company helps you deal with EU citizens’ data, then there must be appropriate safeguards in place to protect data (this includes having the recipient company agreeing to the standard clauses); and
  • the country in which the company is based is subject to an adequacy decision and the most common example of these is the framework.

If you have any questions about complying with the GDPR, you can contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Chloe Sevil

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy