GDPR gives all European Union (EU) member states equal protection of personal data and privacy. This also applies to EEA countries. As a result, transfers of personal data within the EU/EEA usually occur without problems under GDPR. However, there may be other circumstances that need to be considered when transferring data outside Sweden — for example, if the data is subject to confidentiality.
Go directly to:
Transfer of personal data to the United States
Examples of situations where personal data are transferred to third countries
- When you send personal data to a recipient in a non-EU/EEA country.
- When you send documents containing personal data by email to someone in a non-EU/EEA country.
- When the University uses a personal data processor in a country outside the EU/EEA.
- When you give someone outside the EU/EEA access, such as read-only access, to personal data stored within the EU/EEA. For example, in connect with receiving support.
- When you store personal data in a cloud service based outside the EU/EEA.
- When you store personal data — for example, on a server — in a country outside the EU/EEA.
Transfer of personal data to non-EU/EEA countries
Transfers of personal data to countries other than EU/EEA countries, known as third country transfers, may take place only under specific conditions. This is because the level of protection guaranteed by GDPR may not be diminished by the transfer to a third country. As a general rule, the transfer to a third country or international organisation is allowed only if an adequate level of protection can be established prior to the transfer. The European Commission decides whether an adequate level of protection exists. You will find a list of safe countries here. In the absence of an adequate level of protection, appropriate safeguards need to be taken, such as the signing of the EU Commission's standard contractual clauses. There are also some exceptions that may be applicable, but these rarely apply to the University, so they will not be described in detail here.
Changes to the transfer of personal data to certain countries occur regularly, so it may be useful to regularly check decisions by the European Commission.
Transfer of personal data to the United States
On 16 July 2020, the Privacy Shield, the previous agreement on the transfer of personal data from the EU to the U.S., was annulled by the Court of Justice of the European Union. One of the reasons for the decision was that the EU's fundamental rights and freedoms could not be upheld in view of the mass surveillance capabilities of the U.S. The ruling meant that since 16 July 2020, the transfer of personal data to the U.S. under the Privacy Shield was no longer legal.
On 10 July 2023, the European Commission reconsidered and decided that the US has an adequate level of protection for transfers to organisations covered by the "EU–US Data Privacy Framework". It based this adequacy decision on the fact that the U.S. has taken steps to remedy the shortcomings identified by the Court of Justice of the EU in its July 2020 ruling. The measures have consisted of limiting the access of U.S. intelligence agencies to personal data and establishing a new mechanism that enables EU citizens to seek redress.
The Swedish Authority for Privacy Protection (IMY) has issued information regarding the EU Commission's adequacy decision for the U.S (in Swedish).
The European Commission has announced that it will review the adequacy decision beginning on 10 July 2024 after it has been in force for one year. This is intended to verify that all relevant elements have been incorporated into the U.S. regulatory framework and that it works effectively in practice.
For the time being, Umeå University will continue to take a restrictive approach to U.S. cloud services. In this way the University avoids being locked into services that would be difficult to leave if the decision changes quickly or if the organisation providing the service would no longer be covered by the EU–U.S. Data Privacy Framework.
Recommendations for the transfer of personal data to the U.S.
- Use only cloud services that the University has decided on and where the University actively works with security measures.
- Personal data of protection class 1 and 2 according to the information classification can be transferred to the U.S. provided that the necessary security measures can be satisfied.
- Personal data of protection class 3 and 4 according to the information classification will not be transferred to the U.S. for the time being, regardless of the European Commission's decision.
- Follow developments. The University intends to provide updated information on developments with the situation.
Contact pulo@umu.se if you want to know more.
What are the EU Commission's standard contractual clauses?
If an adequate level of protection does not exist, the most common way to implement appropriate safeguards is for Umeå University and the third country or international organisation recipient to sign a specific agreement containing the EU Commission's standard contractual clauses.
The purpose of the standard contractual clauses is to safeguard the rights of data subjects so that their privacy is not violated. The content of the standard contractual clauses gives data subjects rights in relation to the processing of their personal data.
The standard contractual clauses are drafted by the Legal Afairs Office and signed by the University Director once the contract has been accepted by the beneficiary in the third country or international organisation. Contact the Legal Affairs Office in advance to finalise the agreement as soon as possible.
Additional questions on the transfer of personal data abroad?
When you plan to send personal data to a third country or an international organisation, always contact the Legal Affairs Office to help assess how we can do this legally.
More information can be found on the Swedish Authority for Privacy Protection's page on third country transfers.
Contact the Legal Affairs Office with questions by sending an email to pulo@umu.se