Iris Lehmann

IVAM Microtechnology Network
Feb. 28, 2019
Business
Iris Lehmann

IVAM Microtechnology Network

Transferring data between the EU and Japan is approved by the European Commission

© boldg, Fotolia.com

The General Data Protection Regulation raised some uncertainties as to the conditions that allow transfer of personal data from the EU into third countries or vice versa.

With regard to Japan, the European Commission has eliminated these uncertainties by adopting an adequacy decision on January 23, 2019.

According to the press release of the European Commission, this decision created "the world's largest area of safe data flows”.

An adequacy decision determines that it is safe to transfer data across EU borders 

Chapter 5 (articles 44 – 50) of the General Data Protection Regulation (GDPR) describes the rules for transfers of personal data to third countries or international organizations. In summary, cross-border data transfer is allowed if “adequate levels of protection” and “appropriate legal safeguards” are ensured, or if “binding corporate rules” guarantee safe data transfers e.g. in multi-national corporations or company groups.

With an adequacy decision (article 45 GDPR) the European Commission determines that a non-EU country ensures an adequate level of protection of personal data either by its domestic law or by the international commitments it has entered into. 

An adequacy decision permits cross-border data transfer outside the EU without any further safeguards, restrictions, formalities or specific authorization. This means that you do not need the data subject’s explicit permission to transfer data and do not have to make sure or supervise that your business partner handles this data safely.

For a list of third countries so far recognized as adequate, go to https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

Contractual relationships allow cross-border data transfer into non-approved countries

You do not need to worry if you are cultivating or establishing business relations in a country that has no approved data safety rules (yet).

Article 49 GDPR provides for derogations (exceptions) for specific situations. One such exception is explicit permission given by the data subject. Data transfer into non-approved countries is also allowed under article 49 when it is necessary for the conclusion or performance of a contract. 

Good luck with your foreign business operations all around the globe!