Overview of dealing with overseas transfers

The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. As set out in What is the GDPR and when does it apply to Australian organisations?, the GDPR applies to Australian organisations in certain circumstances.

If the GDPR applies to your organisation, you will need to have a strategy in place to comply with key obligations under the GDPR (see Key compliance obligations under the GDPR).

A key compliance issue for Australian organisations is dealing with overseas transfers of personal data outside the EU.

Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EU.

Chapter V (notably Articles 44–47) of the GDPR governs the transfer of personal data to countries outside the EU. The rationale is that when transfers are made to countries outside the EU, the level of protection afforded to EU individuals by the GDPR should not be undermined. See Recital 101.

Transfers by controllers or processors of personal data to countries outside the EU are prohibited unless the controller/processor complies with the conditions set out in Chapter V.

On that basis, the GDPR restricts transfers of personal data outside the EU, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.

In this subtopic you will learn:

  • what is a transfer outside the EU for an Australian organisation captured by the GDPR?;
  • how can your organisation transfer personal data outside the EU?;
  • transfers on the basis of an adequacy decision;
  • what is the Privacy Shield;
  • what are the standard contractual clauses;
  • what are binding corporate rules;
  • exceptions to the rules on transfers outside the EU; and
  • how to identify key issues with overseas transfers by using our practical checklist.