Processing of personal data in third countries
Version 1.3 – Based on the EU General Data Protection Regulation post Schrems II
"Transfer of personal data – domestic, EU countries, third countries" was the fourth publication by the Bitkom Data Protection Working Group and dates back to 2005. The Data Protection Working Group consists of experts from Bitkom member companies and addresses current issues and data protection-related aspects of information and communication technology.
Version 1.1 of the guide was published in summer 2016, based on the then applicable EU Data Protection Directive 95/46 and the German Federal Data Protection Act, and also took into account the case law on Safe Harbor. It served as guidance for the transitional period until the full application of the EU General Data Protection Regulation. The subsequent Version 1.2 was created in summer 2017 on the basis of the EU General Data Protection Regulation, which has been in force since 25 May 2018, and was updated in summer 2022 to the present Version 1.3.
Version 1.3 takes into account the implications of the CJEU judgment "Schrems II" (C-311/18) delivered on 16 July 2020, in which the European Commission’s adequacy decision (EU) 2016/1250 of 12 July 2016 on the US-EU Privacy Shield Framework — concerning the transfer of personal data to the US — was declared invalid. This judgment has significant consequences not only for data transfers to the US but generally for the processing of personal data in third countries.
The updated version of the guide forms part of the publication series on Transfer Impact Assessments and the Bitkom TIA Tool, and can be downloaded here (in German).
