International transfers to a recipient in a third country may take place, without a need to obtain any further authorisation, if the European Commission has decided that such third country ensures an adequate level of data protection. The current list of countries considered 'adequate' can be found on the European Commission's website.
'Adequate' third countries
You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Adequate safeguards may be provided for by:
Binding corporate rules
International data transfers within a corporate group may take place on the basis of Binding Corporate Rules (BCRs). BCRs require approval from Data Protection Authorities (such as the Information Commissioner's Office (the ICO)), but once such approval is obtained, individual transfers made under the BCRs do not require further approval.
BCRs are like a code of conduct, allowing multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.
International data transfers may take place on the basis of standard data protection clauses approved by the European Commission. The ICO has approved the use of the model clauses as a means of ensuring adequacy, however, this approval only extends to use of the model clauses as they stand, with additional contractual language added to them that doesn't contradict them in any way.
There are two sets of model clauses produced by the European Commission. One governs controller-to-controller transfers and the other controller-to-processor transfers. You can find both sets of model clauses on the European Commission's website.
International data transfers may take place on the basis of certifications. Certifications provide organisations with a formally recognised confirmation of compliance with EU data protection law, typically with an associated visual symbol, confirming that the organisation satisfies the requirements of the relevant seal or certification.
For more information about this complex area, Ask a lawyer.
What is the Umbrella Agreement?
The Umbrella Agreement is a comprehensive high-level data protection framework for EU-US law enforcement cooperation (eg combating terrorism and other crime) which allows the transfer of personal data.