GDPR: New rules applicable to transferring personal data internationally

08 Jul 2021


Dorothée David

Any Luxembourg employer who transfers personal data to a country outside the European Economic Area[1] (EEA) must comply with the requirements and conditions set out in the GDPR[2].

In particular, any transfer of personal data outside the EEA must:

  • be covered by an adequacy decision (see art. 45 of the GDPR), or
  • in the absence of an adequacy decision, be subject to appropriate safeguards, including those included in standard contractual clauses, or SCCs) (see art. 46 of the GDPR), or
  • in the absence of an adequacy decision or appropriate safeguards, be based on one of the limited exemptions allowed (see art. 49 of the GDPR).
  • Data protection adequacy decisions and the addition of the United Kingdom

The European Commission has drawn up a list of third countries recognised as offering an adequate level of protection for personal data, and to which personal data can be freely transferred.

In a press release issued on 28 June 2021, the European Commission confirmed that it had adopted two adequacy decisions in relation to the United Kingdom that day: “Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. ”.

  • New standard contractual clauses

The standard contractual clauses adopted by the European Commission are among the appropriate safeguards that an exporter must put in place when considering transferring personal data outside the EEA to a country that does not have an adequacy decision (see above).

In a decision made on 4 June 2021[3] the European Commission published new standard contractual clauses designed to govern data transfers from data controllers or processors in the EEA (subject to the GDPR) to data controllers or processors based outside the EEA (not subject to the GDPR).

In a press release issued on 28 June 2021, the CNPD clarified that the new standard contractual clauses came into effect on 27 June 2021 and can be used from now on by companies.

In addition, old standard contractual clauses that are currently in force or that are concluded before 27 September 2021 may continue to be invoked until 27 December 2022 (transitional period), provided that the processing operations remain unchanged and that those clauses provide appropriate safeguards, within the meaning of the GDPR, for the transfer carried out on their basis.

  • Final recommendations of the EDPB[4] on supplementary measures to be combined with appropriate safeguards

Following the CJEU’s judgement issued on 16 July 2020, known as “Schrems II”, the EDPB has published recommendations on the supplementary measures to be put in place when data is to be transferred outside the EEA on the basis of appropriate safeguards (i.e. SCCs, binding corporate rules, approved codes of conduct or certifications etc.).

A press release issued by the CNPD on 21 June 2021 sets out the main changes made, and provides a reminder that these recommendations are intended to help data controllers and processors acting as exporters of data define and implement appropriate supplementary measures, where necessary.


[1] The EEA is made up of the 27 Member States of the European Union plus Iceland, Norway and Liechtenstein.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing directive 95/46/EC (General Data Protection Regulation).

[3] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) published in OJ L 199/31 of 7 June 2021.