T 2.172 Lack of or inadequate protection regarding the processing of personal data abroad

When transmitting personal data abroad, specific statutory provisions must be observed. Personal data may be transmitted to the member states of the European Union under the same prerequisites applicable to transmissions within the Federal Republic of Germany. Personal data must only be transmitted to agencies in so-called third countries if an appropriate level of data protection (see also § 4b section 3 BDSG) is guaranteed there, if the exceptions mentioned in the law are present (§ 4c section 1 BDSG), or if the responsible agency demonstrates sufficient guarantees regarding the protection of the personal rights and the execution of the related rights (§ 4 c section 2 BDSG). In the latter case, the transmissions require an approval of the regulatory authorities.

Example:

• A German company belonging to an internationally operating corporation wants to switch its hitherto national site and data access management to a directory service that is to be operated centrally in Japan by another subsidiary.
• Japan does not have an appropriate level of data protection (yet). Therefore, disclosing personal data to a Japanese customer is only admissible if an appropriate level of data protection is guaranteed by means of suitable safeguards. This may be performed by signing the so-called standard contract provisions between the German customer and the Japanese contractor.