The general principle applies that data flows between countries must be subject to adequate data protection in the country of destination. For some countries, the protection is considered adequate; for others, the University of Tartu as the data controller must take additional measures. Therefore, if you wish to transfer personal data to a third country, always consult the university’s senior specialist for data protection.
3.2.1. European Union member states, Iceland, Liechtenstein and Norway
If personal data are transferred to countries in the European Economic Area (EEA), the GDPR ensures adequate protection, and no additional restrictions or requirements apply. The general principles must be respected: processing must be lawful, fair, transparent, secure, purposeful and minimal. There must also be a contract for the data transfer.
However, the laws of the different EU member states on research and research ethics differ somewhat. Therefore, it is advisable to discuss with partners what the requirements are for personal data in the other country.
3.2.2. Third countries with an adequate level of data protection
If data are transferred to a third country outside the EEA (a third country), the level of data protection there must be assessed. The European Commission has found that the level of data protection is adequate in Andorra, Argentina, Canada, the Faroe Islands, Israel, Japan, the Republic of Korea, Switzerland, Uruguay, New Zealand, the United Kingdom and the British Crown Dependencies of Guernsey, the Isle of Man and Jersey. There, no additional safeguards are necessary, and the same requirements apply as to EU member states.
Read more: List of countries with an adequate level of data protection on the website of the European Commission |
3.2.3. Other third countries
In 2016, the European Commission assessed the EU-US data protection framework Privacy Shield as adequate in terms of the level of protection, but this assessment was invalidated by the Court of Justice of the European Union in a 2020 ruling – so the level of data protection in the US is currently not adequate. Therefore, the exchange of personal data between Estonia and the US requires additional safeguards. This could be done, for example, through a data transfer agreement with the institution in the US or any other measure mentioned in Article 46 of the GDPR. In addition, the transfer of personal data to the US is subject to a data protection impact assessment (see 2.14.3).
| European Commission approved data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023. |
For all other third countries whose level of data protection has not been recognised as adequate by the European Commission, the controller will also need to implement additional safeguards, which in most cases implies the conclusion of a separate agreement with a cooperation partner in the third country.