NL +31 (0)20 4232420 / SP +34 937 379 542

Can a company that has businesses in- and outside the EU have their back up outside the EU in accordance to the GDPR? What regulation do we follow? Who do we need to notify in case of a security breach and who and how will this legislation be enforced?

Having a back-up outside the EU probably means that you are transferring personal data back and forth. Will this be possible after the GDPR is really implemented in May 2018? The Data protection directive states that personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed.

The personal data transfer should not be made to non-EU /non-EEA countries that do not ensure adequate levels of protection. However, several exceptions (or “derogations”) to this rule could be applicable.

For example:

  • Consent to transfer outside the EU or “necessary” transfers to comply with contractual obligations or litigation management
  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Assessment of adequacy


The company is located in and outside the EU which legislation do we need to follow?


If the organisation processes – i.e. collect, transfer or store – personal data in more than one EU country, or if the processing substantially affects individuals in more than one EU country, the organisation must comply with every country’s personal data protection legislation. This means that in May 2018 you have to comply to the GDPR in every EU state. So, for ALL the data of EU Citizens, even if the data is located outside the EU, the GDPR is obliged.


Which EU member state do we have to contact if a security breach is found?


Because a lot of EU states do not have a notification requirement, not all breaches are reported. However, this will change in May 2018. Companies will have to notify such data breaches to the relevant regulator within 72 hours. According to the GDPR, the leading supervisory authority of companies established in more than one Member State will be the country where the central administration in the Union is conducted. If the company has no central administration, the establishment of the processor in the Union where the main processing activities in the context of the activities take place will be the leading supervisory authority. The Lead Supervisory Authority will be the primary authority organisations need to deal with, but under circumstances, local authorities can step in as well.


Who will conduct the audits for the compliance of the GDPR and what will they be doing during these audits?


The leading supervisory authority will conduct the audits they can order the company to provide any information it requires for the performance of their tasks. The leading supervisory authority will carry out an investigation in the form of a data protection audit. An audit can take many forms from a ‘desktop’ paper-based review of current policies, procedures and contracts to a full review of how an organisation as a whole process personal data, following the complex flow of data throughout its life from inception through to destruction. The scope of the audit is likely to depend on an employer’s size and resources and current level of compliance.

During an audit, the certifications of the different systems (some systems already have a certification which means the systems are GDPR compliant) will be reviewed, and checked if a certification is needed. The auditor will obtain access to all personal data and all information necessary to perform his tasks. Also, he will have access to any premises including to any data processing equipment and means.

So, to clarify: Your leading supervisory authority is where your main establishment is if a breach is found you will have to report to the Leading supervisory authority. At this point it is still unclear how enforcement is going to work in cases of breaches of the GDPR outside the EU, considering that the legislation of the country outside the EU has the respective mechanisms and cooperative agreements in place with the EU. So, if a breach is found outside the EU and it contains personal data of EU citizens it is still unclear how enforcement will be taken place.

Should you require any assistance in implementing the GDPR within your organisation, please contact us.

About the author
Lisanne Klein is an information security specialist with extensive knowledge of GDPR.