Skip to content
Skip to page content

6. Only transfer personal data out of the EU if the conditions are met

The level of data protection may not meet the EU’s requirements when personal data is transferred out of the EU and European Economic Area (EEA). That is why there are certain conditions to be met if you intend to transfer data out of the EEA.

The hobby organiser must identify whether its activities involve the transfer of data to third countries (countries outside the EU or EEA). Personal data can be transferred via various systems and electronic services, for example.

In addition to the EU Member States, the EEA comprises Iceland, Liechtenstein and Norway. Personal data may be transferred to these countries on the same grounds as within Finland. Transferring personal data outside these countries can cause risks to the persons whose data is being transferred.

For the transfer of personal data to be permitted, both of the conditions below have to be met:

  1. the processing of personal data must be allowed in the circumstances in question; and
  2. there is a basis listed in the GDPR for the transfer. In addition, you need to assess on a case-by-case basis whether supplementary safeguards are needed to ensure an adequate level of data protection.

The use of each basis for transfer is subject to certain conditions. The hobby organiser must assess which of the bases for transfer is appropriate. If the conditions of none of the bases for transfer are met, the personal data may not be transferred.

Read more about international transfers of data on the Office of the Data Protection Ombudsman’s website: Transfers of personal data out of the European Economic Area.

What does the hobby organiser need to take into account when transferring data out of the EEA?

1. The hobby organiser must first determine whether it or its processors or subprocessors are transferring personal data out of the EEA.

2. If personal data is being transferred out of the EEA, the hobby organiser must ensure that the processing is permitted in those circumstances and that a specific basis for transfer has been specified for the transfer of the personal data.

3. The controller must then check whether the third country’s legislation and/or practices guarantee a level of protection corresponding to EU requirements for the personal data being transferred.

4. If the chosen basis for transfer does not in itself guarantee an adequate level of data protection, it can be supplemented with various safeguards in certain situations. The hobby organiser must then determine whether such safeguards can be adopted.

5. You should document your assessments of international transfers of personal data.

Remember

Make sure that transfers of personal data out of the EEA comply with the requirements set for them.

5. Report personal data breaches
7. Give people involved in the hobby instructions and training in data protection