International data protection

Hardly any company – even those whose activities are primarily local – can get by without transmitting personal data to a location in another country. Such international data transfers affect individual enterprises, but they are also increasingly affecting group companies, in other words companies that are part of a corporation. The use of cloud computing also regularly involves transferring data internationally.
Individual enterprises

Companies that are not part of a corporate group often use contractors in the context of outsourcing activities. They regularly act as the principals in data sub processing. From the perspective of international data protection law, cases where contractors are located inside the EU are not problematic because a homogeneous data protection standard has been achieved by way of Directive 95/46/EG by the European Parliament.

For service providers located in a country outside the EU, the following determination must be made: personal data, for instance customer or employer data can be transmitted if data protection standards in the non-EU country are comparable to those in the EU. The EU Commission has bindingly established this for several countries (Argentina, Guernsey, Isle of Man, Jersey, Canada, Switzerland and New Zealand), so these transfers are fundamentally not problematic.

Otherwise, it must be determined on a case-by-case basis which of the legally available solutions is the proper one – including considering what is appropriate for the principal. Thus it must be decided whether standard EU contractual clauses, individual contracts, consent solutions for the affected parties, joining the EU-U.S. Privacy Shield (upcoming successor of the Safe Harbor Agreement, that was declared invalid by the ECJ) or one of the other alternatives should be used. Some decisive factors here are:

  • Which categories of data are being transmitted, and whether this is constant;
  • the structure of the national laws in the receiving country;
  • the reasons for processing the data;
  • etc.

However, official supervisory practices must also be known in order to make the “right” decision.

Corporations / other affiliated companies

Fundamentally, the situation for corporations is not much different from the one described above when it comes to international data transfer – at least in terms of the fundamental rules. After all, the companies in a corporation do not see many data protection benefits compared to non-group companies – there is no “corporate privilege.” The participating companies also face challenges due to the complexity of the corporate structure itself and the flow of data within the corporation, which is often not known in detail. The first step in creating a successful data transfer concept for a corporation or other associated companies is thus understanding as much of the data transfer process as possible:

  • What is the source of the data in question? What is the data quality?
  • Which companies can “view the system”, in other words are recipients?
  • Which company areas need to have access?
  • Are the same systems really used in all of the associated companies, or
  • are there local particularities?
  • etc.

The second step is to find the ideal data protection concept. In addition to the abovementioned instruments (EU standard contractual clauses, individual contracts, etc.), there are several tools that work well for corporations in particular:

  • Binding Corporate Rules or
  • Codes of Conduct.

The instrument or combination of solutions should be chosen based on the company’s size, its core commercial activity and the complexity of the actual data transfer. If appropriate, third parties can be included in the process, such as works councils or even supervisory authorities.

After the evaluation and decision-making process, there is the actual implementation phase. While many data protection officers hand this step over to the corporation because they lack a specific understanding of corporate culture, our data protection experts are very familiar with the various corporate cultures; they consider this piece of international data protection management to be the most important phase of their consulting work. Thus we do not step back at this point, but rather prepare all of the documentation so that it is ready to be signed; we support and/or manage the entire communication process, both in the corporation and with any third parties who will be involved. Our international legal and linguistic knowledge helps us effectively communicate and apply our experiences here.

The best part is: we can tell you in advance how long the process will take. Economically speaking, our tailor-made international data protection projects are not a “bottomless pit.” As premium providers, we consider cost transparency and cost controls to be extremely important. As a rule, we are able to offer flat rates for projects.

Help keep or make your international data transfers legally compliant. Calmly face supervisory-board audits and/or find ways to reduce your supervisory approval processes to a minimum. We can help you find constructive solutions for company-policy conflicts when it comes to your objectives in the international arena!