Data Protection Commissioner
Data Protection Commissioner

Frequently Asked Questions - FAQ

8. Transfers Abroad

8.1 I want transfer personal data out of Ireland, what do I need to do?

The Data Protection Acts, which have transposed the EU Data Protection Directive, provide a common basis on which personal data may be transferred from Ireland to any other country in the EEA (EU members plus Norway, Iceland and Liechtenstein), in accordance with the common data protection standards set out in the Directive. Where personal data is to be transferred to a country outside of the EEA, one of the following additional conditions must apply:

  • Transfer is to one of the following countries/territories: Andora, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man,Israel, Jersey, New Zealand, Switzerland, Uruguay.
  • Transfer is of advance airline passenger(PNR) data in accordance with the EU-approved arrangements for such transfer to the border authorities in the USA, Canada and Australia
  • Transfer is within a group of companies covered by EU-approved Binding Corporate Rules
  • Transfer is made using one of three EU-approved Model Contracts
  • Transfer has the clear and unambiguous consent of the individual data subject(s)
  • Transfer is either : authorised by law or by the Data Protection Commissioner; from a public register; necessary for reasons of substantial public interest; necessary in relation to certain contractual and legal proceedings; necessary to protect the vital interests of the individual.

Further information is here.

8.2 What are BCRs?

The EU Data Protection Directive and the Data Protection Acts impose conditions on the transfer of personal data to countries outside of Europe that are not considered to provide an "adequate" level of data protection. Organisations that transfer large quantities of personal data outside of Europe must do so in accordance with the provision of Section 11 of the Data Protection Acts. To facilitate multinational companies with operations in many countries, the Article 29 Working Party developed an alternative system of "Binding Corporate Rules" (BCRs). BCRs allow the composite legal entities of a corporation to jointly sign up to common data processing standards that are compatible with EU data protection law.

In order to secure approval for BCRs a company must choose a lead data protection authority to coordinate securing approval from other relevant data protection authorities. The lead authority must also as part of this process approve the BCRs. This approval receives mutual recognition from a number of other data protection authorities across the EU.