Individual Rights in International Personal Data Transfers Under the General Data Protection Regulation

Abstract

Within the General Data Protection Regulation (GDPR), individuals have certain rights ('data subject rights') towards their own personal data. These rights include the option to access, rectify or erase one's data. The GDPR also foresees specific rules for international personal data transfers, thus situations in which personal data becomes accessible outside its territorial scope. The goal of these rules is to ensure that the level of protection for the fundamental rights of individuals is not undermined by data transfers. The Court of Justice of the European Union (CJEU) clarified that this level has to be maintained to an 'essentially equivalent' extent, and that this requires also the upkeeping of (some) data subject rights. This paper analyses the role of data subject rights when personal data are transferred under the GDPR. It concludes that the existence of some data subject rights is required for lawful data transfers under the GDPR.