Lexicon > Data transfer

IT Glossary

Data transfer

The notion of data transfer refers more specifically to the transfer of personal data outside the European Union.

A data transfer is the transmission, or making available, of personal data by an entity subject to the GDPR to an entity located in a country outside the European Union, or to an international organization.

For the transfer to be qualified as such by the GDPR, the exporter of the data must be subject to the GDPR, whether or not it is established in the territory of the European Union.

However, the voluntary and self-initiated transmission of personal data by the data subject directly to an entity located outside the European Union will not be considered a data transfer within the meaning of the GDPR.

Indeed, the exporter of the data is necessarily a controller or a processor. The same applies to the data importer.

Thus, access from a country outside the European Union by a single entity (for example, during a business trip by the manager abroad) does not strictly speaking constitute a transfer of personal data.

In any case, any transfer of data must be accompanied by sufficient guarantees for the rights and freedoms of the persons concerned.

They can then be based on:

  • An adequacy decision by the European Commission;
  • Standard contractual clauses of the European Commission, or adopted by a supervisory authority and approved by the European Commission;
  • Internal company rules;
  • An approved code of conduct with a binding and enforceable commitment by importers to apply appropriate safeguards;
  • An approved certification scheme with a binding and enforceable commitment by importers to apply appropriate safeguards;
  • An administrative arrangement or binding and enforceable text made to enable cooperation between public authorities.

GDPR Point

” Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. 2All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

Article 44 of the GDPR

Point of jurisprudence

The Court of Justice of the European Union(CJEU) invalidated the Privacy Shield stating, among other things, that:


“the law of that third country does not provide for the necessary limitations and safeguards with respect to interference permitted by its domestic regulations, nor does it provide for effective judicial protection against such interference.

CJEU, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian SchremsJuly 16, 2020, No. C-311/18

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.