GDPR Data Localization: How to Follow it Properly?
In the last few years, many countries have introduced data localization requirements globally. Some of these have imposed stricter laws, while some are more lenient.
In this article, we’ll explore the EU’s GDPR data localization rules and explain how your business can follow them properly so you can maintain your customers’ trust and avoid fines.
Let’s dive right in.
- GDPR does not have specific data localization requirements. However, the EU’s data privacy law is very clear on what conditions EU citizen’s data can be transferred to a non-EU country or international organization.
- For EU citizens’ data to leave the Union, the receiving country must either have the European Commission’s adequacy decision, have appropriate data protection safeguards in place, or Binding Corporate Rules (BCR)
- Although not explicitly said anywhere in the GDPR, the following types of data must follow GDPR data localization or residency rules: personal data, special categories of personal data, genetics data, biometric data, location data, and online identifiers.
GDPR Data Localization Requirements
Unlike China’s PIPL, GDPR does not have specific data localization requirements.
However, there are strict requirements for transferring data outside the EU laid out in Chapter 5 of GDPR (Transfers of personal data to third countries or international organizations).
An EU-non-EU data transfer requires at least one of the following:
1. An adequacy decision by the European Commission
This allows personal data to travel freely from the EU to these countries without additional safeguards. Currently, the following countries have the Commission’s adequacy decision:
- Canada (for commercial organizations)
- Faroe Islands
- Isle of Man
- New Zealand
- Republic of Korea
- United Kingdom
- United States (for commercial organizations in the EU-US Data Privacy Framework)
2. Appropriate safeguards by the data controller or processor
The GDPR also covers several potential safeguards as an option for transfer of data outside the EU. These safeguards include:
- Standard contractual clauses: legally binding data protection clauses approved by the European Commission. Both parties (sender and recipient of personal data) must adhere to these.
- Binding corporate rules (BCRs): internal rules adopted by multinational companies or groups of enterprises for transfers within a group, ensuring all members maintain appropriate levels of GDPR compliance regardless their locations. For example, if a company has headquarters in Berlin, Germany, and is transferring its employees’ data to a branch in Madrid, Spain, it can do so under adequate BCR.
- Certification mechanisms: These are data protection certifications issued by an approved certification body. They should be transparent and readily available to the public.
Derogations are the exceptions provided in certain specific situations where a transfer of personal data to third countries can take place without an adequacy decision or appropriate safeguards.
The General Data Protection Regulation (GDPR) includes several possibilities for derogations, such as:
- Explicit Consent: The data subject has explicitly agreed to the proposed transfer after being informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.
- Contract Performance: Transfer is necessary for the performance of a contract between the data subject and controller or implementation of pre-contractual measures taken at the individual's request.
- Vital Interests: The data transfer could be necessary to protect the vital interests of individuals where they are physically or legally incapable of giving consent.
- Legal Claims: It's possible that transferring data might become compulsory for important reasons on public interest grounds and/or for the establishment, exercise, or defense of legal claims.
Remember, these derogations should not apply generally but only under specific circumstances as per European Commission guidelines.
What Type of Data Must Follow GDPR Data Localization?
Again, GDPR allows EU companies to transfer personal data outside the Union but imposes some strict requirements for potentially sensitive data.
- Personal data (name, address, date of birth, email address, phone number, or anything that can be used to directly identify a person)
- Sensitive personal data (or “special categories of personal data”, such as race, sexual orientation, religious or political beliefs)
- Genetic or biometric data (inherited genetics, facial image, fingerprints, voice recognition, etc.)
- Location data (IP address, GPS, etc.)
- Online identifiers (any data that can identify a person online (cookies, device IDs, etc.)
Cross-Border Data Transfer Under GDPR
GDPR cross-border data transfer requirements are as follows:
- Data can be transferred only if the third country or international organization has an adequate level of data protection per the European Commission (Article 45)
- If the Commission did not find the third country or international organization to have adequate protection level, the data controller or processor could provide the necessary safeguards for the transfer (Article 46)
- All EU-based companies must adhere to the binding corporate rules (BCR) when transferring data outside the Union. The relevant supervisory authority will approve BCRs following Article 63 (Article 47)
- A court of tribunal judgment of a third country for the controller or processor to disclose personal data is only enforceable if it is based on an international agreement between that country and the EU or the Member State (Article 48)
- In certain circumstances (the individual has given explicit consent, the transfer is necessary for a contract, public interest, or vital interest of the data subject), data transfer can still happen, even without the adequacy decision or the appropriate safeguards (Article 49)
Appropriate safeguards can include:
- Standard Contractual Clauses (SCC)
- Business Corporate Rules (BCR)
- Legal agreements
- Code of conduct
- Certification mechanisms
Additional Considerations for Data Localization
While the GDPR doesn’t have specific data localization requirements, the 2020 invalidation of the EU-US Privacy Shield, known as the “Schrems Ⅱ case,” led to its members taking some extra steps and adjusting their data protection strategies to ensure their citizen’s data is protected before leaving the country.
Consequences of Not Following the GDPR Data Localization Laws
GDPR can be a tough law to follow, and the penalties for violating it can vary from getting a warning and a reprimand to paying a large fine.
For instance, if your organization transfers data to a third country that has no Commission’s adequacy decision or an adequate level of protection, you could be facing a fine of up to 10 million euros or 2% of your annual revenue for Tier 1 (minor violations) or up to 20 million or 4% of the company’s annual revenue for Tier 2 (major violations).
Not following the GDPR data localization rules is one of the most common violations companies face, and the supervisory authorities have fined organizations hundreds of millions of euros for failing to comply.
For example, in 2023, the Data Protection Commission (DPC) of Ireland fined Meta €1.2 billion for transferring EU users’ data outside the EU (United States) without ensuring an adequate level of data protection.
Now, you might be wondering what some of the next steps are to ensure compliance in your company. That’s where we come in.
Captain Compliance can help you understand and follow GDPR data localization requirements better when transferring personal data to non-EU countries. Get in touch with us today before fines get in touch with you.
What are the location rules for GDPR?
According to the GDPR, all data collected on a data subject must be stored either in the EU itself or in a country that has an adequate level of data protection.
Does GDPR require data to be stored in Europe?
Under GDPR, data has to be stored either in the EU/EEA or in a country that has a similar level of data protection in place.
Does GDPR require data residency?
Per the General Data Protection Regulation, EU citizen’s data can be stored and processed only in the EU or within a jurisdiction with an adequate data protection level.
What do you mean by data localization?
Data localization is the practice of storing and processing data within a certain geographic location, such as a country or a state.