Strict requirements to the transfer of personal data to countries outside the EU

In special cases, an organisation cannot lawfully transfer data to a third country without permission from the Danish Data Protection Agency. Usually, the organisation applies for permission by filling in an application form, which is available for downloading at the website of the Danish DPA, and it may take several months before the authorisation is granted. Now organisations may, however, obtain the permission of the Danish DPA, using EU's standard contractual clauses, which makes the process easier and faster.

Simplified application procedure

In January this year, the Danish DPA took measures to make the application procedure easier when personal data are to be transferred to third countries.

According to the new procedure, the organisation is to use a new special form when applying for permission to transfer personal data based on the European Commission's standard contractual clauses. The form may be sent by ordinary mail or by e-mail to the Danish DPA, and the organisation is to specify whether there have been any deviations from the EU standard contractual clauses by ticking the relevant box.

The contract is only to be sent to the Danish DPA together with the application form in case of deviations. Otherwise, it should merely be kept by the organisation. In case of deviations, the organisation must enclose a list of the deviations when forwarding the contract.

In the absence of deviations in the contract, the Danish DPA grant its authorisation within a time frame ranging from a few weeks to one month.

When to report the transfer of personal data

The transfer of personal data may require a permission from the Danish DPA unless the data subject has given his or her consent to the transfer.

Non-sensitive personal data is freely transferable between group companies within the EU/EEA as long as the Danish rules on the processing of data are observed.

The situation is, however, somewhat different when personal data are being transferred between group companies where one of the companies is domiciled outside the EU/EEA. In such cases, the relevant third country must also meet the data protection standards of the Danish DPA - and must thus be "safe".

Organisations should be aware of which third countries are covered as the organisation must notify the Danish DPA if the third country does not meet the Danish DPA's data protection standards (a "safe third country").

This is particularly relevant to organisations having their headquarters or HR department outside the EU as they will typically have to transmit personal data back and forth. These organisations must further be aware that a transfer of personal data may merely be an e-mail exchanged between the HR department and headquarters. It need not be large volumes of data.

Which third countries are safe?

Whether a third country is safe is assessed by the Danish DPA which has a list of third countries meeting their data privacy standards. The rules on the data transfer to these countries are therefore less stringent than the transfer of data to third countries not on the list.

Contrary to expectations, the United States is not a safe third country. The United States applies the so-called Safe Harbour Program. If personal data are transferred to an organisation participating in the program, the United States is deemed to be a safe third country. A list of the participating organisations is accessible at the website of the US Department of Commerce.

IUNO's opinion

It is important for the organisation to clarify its internal structures and guidelines for data transfers. This applies in particular to the obtaining of consent to the transfers which is still the easiest way to comply with the rules on the transfer of personal data.

If an employer expects to transfer personal data to a third country in an employment relationship, it may be an advantage to draft the employment contract so as to ensure that the employee gives his or her consent to the transfer in the employment contract.

Moreover, it is vital to obtain permission from the Danish DPA when it is necessary. As the application must be approved and the organisation must have received the permission before transferring the data, it is a big step forward that the EU Commission's standard contractual clauses now offer a fast-track solution.