Personal data transfers to third countries
Author | Michèle Finck |
Pages | 89-90 |
Blockchain and the General Data Protection Regulation
89
10.Personal data transfers to third countries
Chapter V of the GDPRlimits the circumstances under which personal data can be transferred
from the European Union to third countries. It clarifies that personal data can only be transferred
to third countries where these (i) benefit from adequacy decisions, (ii) appropriate safeguards are
offered, or (iii) on the basis of a derogation.537The examination of these provisions in relation to
blockchain technology is important as the multiple nodes on which the ledger is kept can be located
in various jurisdictions, both inside and outside the European Union. Whereas the location of the
nodes can be controlled in a permissioned network, this is impossible ina permissionless system as
anyone may access the network without the need for prior authorisation by a central gatekeeper.
Pursuant to Article 45 G DPR, transfers of personal data to third countries are possible on the basis
of an adequacy decision. Wherethe European Commission has decided that a third country,
territory538or specific sector in a third country (or an international organisation) ensure an adequate
level of protection, such data transfers do not require any specific authorisation.539The European
Commission has the ability to issue adequacy decisions taking into account factors such as the
respect for the rule of law, human rights and fundamental freedoms as well as relevant legislation
and practices540, whether there is an independent supervisory authority that ensures and enforces
compliance with data protection rights541and the relevant third country or international
organisation's international commitments regarding data protection.542If the Commission reaches
the conclusion that that jurisdiction provides an adequate level of protection, it can issue an
implementing act that recognises this (the adequacy decision) which provides for periodic review
(at least every four years).543
Adequacy is defined as a level of protection that is 'essentially equivalent to that ensured
within the Union'.544This has been interpreted by the Article 29 Working Party as requiring that
these foreign rules comply with a 'core' of GDPR principles, the Charter of Fundamental Rights as
well as relevant international instruments (including the Council of Europe's Convention 108).545
Where an adequacy decision with a third country exists, personal data can thus flow freely between
these jurisdictions, notwithstanding whether blockchains or another personal data processing
technology are used.
Where personal data is transferred to a jurisdiction that does not benefit from an adequacy decision,
a controller or processor may only transfer personal data to a third country where it is able to provide
appropriate safeguards. Under Article 46 GDPR, transfers to third countries are possible where
the controller or processor 'has provided appropriate safeguards, and on condition that enforceable
data subject rights and effective legal remedies for data subjects are available'.546Such safeguards
do not require a specific authorisation from a supervisory authority and may include (i) legally
binding and enforceable instruments between public authorities or bodies, (ii) binding corporate
537Note that there is a hierarchy between these different grounds. Essential equivalence can only be used where there is
no adequacy and derogations can only be used where there is no adequacy decision nor essential safeguards.
538Territories include the Overseas Countries and Territories that have a special relationship with specific Member States
but to which EU law does not apply such as Greenland or French Polynesia and the Netherlands Antilles, among others.
539Article 45 (1) GDPR. See als o Recital 103 GDPR.
540Article 45(2)(a) GDPR.
541Article 45(2)(b) GDPR.
542Article 45(2)(c) GDPR.
543Article 45(3) GDPR.
544Recital 104 GDPR.
545WP29 2017: Article 29 Working Party, ‘Adequacy Referential (updated)’ (WP 254, 28 November 2017) 3.
546Article 46 (1) GDPR.
Get this document and AI-powered insights with a free trial of vLex and Vincent AI
Get Started for FreeUnlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations
