Processing of personal data in third countries

Version 1.3 - Based on the EU General Data Protection Regulation post Schrems II.

"Transmission of personal data - domestic, EU countries, third countries" was the fourth publication of the Bitkom Working Group on Data Protection and dates back to 2005. The Working Group on Data Protection is made up of experts from Bitkom member companies and deals with current issues and data protection-specific aspects of information and communications technology. A profile of the working group can be accessed here.

Version 1.1 of the guide was created in summer 2016 on the basis of the still-applicable law of the EU Data Protection Directive 95/46 and the Federal Data Protection Act, as well as taking into account the Safe Harbor case law. It served as guidance for the transitional phase until the final application of the EU General Data Protection Regulation. The subsequent version 1.2 was prepared in summer 2017 based on the EU General Data Protection Regulation, which has been applicable since May 25, 2018, and updated in summer 2022 in the version 1.3. presented here. Version 1.3 takes into account the impact of the ECJ ruling "Schrems II" (C-311/18) issued on July 16, 2020, in which the European Commission's adequacy decision (EU)2016/1250 of July 12, 2016 on the US-EU Privacy Shield Framework - concerning the transfer of personal data to the US - was declared invalid. Meanwhile, the ruling brings significant implications not only for data transfers to the U.S., but in general for the processing of personal data in third countries.

The updated guide is part of the publication series on Transfer Impact Assessment and the Bitkom TIA tool and can be downloaded here.