International companies transfer personal data, e.g. applicant data from subsidiary companies in Germany to the USA, from support center to support center (follow the sun) or to service partners resident in third countries, who process personal data under contract. The applications are diverse, and the data transmission, too, can occur over a number of data importers. The first challenge for a company is to record, what data is transferred to which data recipient and how the data flow from the data exporter to the data recipient, including the integrated subcontractors, is arranged. The next step is to check the admissibility of the technical data transmission by a two-stage examination. The first step of the examination implies the control, whether a data transmission in the home country would be permissible (e.g. on account of an order processing according to Art. 28 GDPR).
If the data transmission is allowed on the first level, the second step of the examination implies the control of the admissibility of data transfer to the data importer being located in a third country. The appropriate contract of the EU standard contractual clauses and an arrangement on order processing between the data exporter and the data importer need to be concluded possibly here. If the data importer is resident in the USA, the EU-US Privacy Shield can be applied alternatively.
Furthermore, binding corporate rules can be used as a suitable instrument for data transmission. If the data importer hires subcontractors, it needs to be checked to what extent they join the existing data protection contracts. The topic of the international data transmission contains – according to the constellation between data exporter and data importer – different case groups, out of which the right one needs to be applied for the realization of the required data protection contracts. This is in particular valid for providers of cloud services outside the EU.
We offer especially the following services concerning international data transmission: