Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?

Rules on international transfer under GDPR

Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:

1. The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
2. The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
3. The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

Continue Reading Does the GDPR Allow for the Use of Consent for the International Transfer of Data?