Transferring and processing personal data outside the EU and the European Economic Area

Suomeksi

The transfer or disclosure of personal data outside the EU or the European Economic Area is restricted by the General Data Protection Regulation (GDPR) of the EU and the Data Protection Act in Finland. The purpose of these regulations is to protect the data subjects in countries outside Europe.

According to the data protection regulations, personal data may be transferred outside the EU in case the European Commission has determined that the country’s level of data protection is adequate, or by using the transfer mechanisms and/or adequate safeguards specified in the legislation.

Resources containing personal data stored in the Language Bank may only be processed in accordance with the resource-specific license including the data protection terms and conditions. For some resources, the transfer of data out of Europe may be restricted or forbidden.

Countries to which personal data may be transferred under the same conditions as within Finland

In general, the Language Bank may disclose resources containing personal data to all of the following countries under the same conditions (note, however, that the information may change and exceptions may apply on individual resources):

1. All EU countries
2. Countries belonging to the European Economic Area (Iceland, Norway, and Liechtenstein)
3. Countries whose level of data protection is considered adequate by the European Commission (see the list maintained by the Commission).

In what situations are additional measures required?

If you log in to the Language Bank service with the user credentials of an organization located outside Europe and request access to a resource that contains personal data, please be aware that processing your request may be more complex and it may take longer than usual. We will also need some additional information from you in order to process your application. Further instructions are provided below on this page.

Please note that, for example according to the guidelines of the University of Helsinki (updated on December 11, 2025), if a researcher affiliated with the University of Helsinki processes the data related to their own research when they are physically located outside the EU or EEA for example to participate at a conference, this is not considered as ’transfer’ or ’disclosure’ of the data.

Why are additional measures required to transfer personal data outside Europe?

In case the user is going to process the data outside the above-mentioned areas, the controller of the resource deposited in the Language Bank must assess, on a case-by-case basis, whether the legislation of the recipient country is sufficient to maintain the rights of the data subjects and whether the personal data can be adequately protected.

To enable the transfer, a separate agreement can sometimes be made between the Controller (mentioned in the data protection terms and conditions) and the receiving organization.

How to apply for access to material containing personal data in the Language Bank in a country that is not included in the above list

You can submit a request for access to the material as normal via the Language Bank Rights service, in case you are able to log in with your home university account or with your user identity provided by CLARIN. However, please ensure in advance that the transfer is not forbidden by the resource-specific license.

In case you belong to an organization located outside the above-mentioned areas, access to a resource containing personal data in the Language Bank cannot be granted unless a case-by-case risk assessment has been completed by the data controller. For this reason, it may take longer than usual to process your application. Apart from your application, we will also need some additional information from you.

The decision to transfer personal data stored in the Language Bank to a country outside the EU is made by the controller who is responsible for the redistribution of the resource in the Language Bank (this would usually be either the University of Helsinki or another university). The controller will assess whether the rights of the data subjects can be adequately safeguarded in the recipient country in question.

The Language Bank will ask you to provide some basic information that is necessary for this assessment and we will forward the details to the appropriate controller. The controller may ask you to provide additional information for clarification if needed.

Basic information required for the assessment

In order for your application to be processed, please provide the Language Bank with the following information:

1. Identifying information about the resource
   • Full name and identifier of the resource (from the application submitted to the Language Bank Rights service)
   • Address of the resource-specific license page (from the application submitted to the Language Bank Rights service)
2. Description of the intended use
   
   • Brief description of the research purpose (in accordance with the application submitted to the Language Bank Rights service)
3. Link to the public privacy notice concerning the purpose of processing the data
   
   • Public link (according to the application submitted to the Language Bank Rights service)
   • If needed, consult the Language Bank guidelines for writing a privacy notice.
4. Description of the types of personal data and the categories of personal data contained in the resource to be transferred
   • See the resource-specific data protection terms and conditions included in the license of the resource.
   • The more sensitive the data being transferred, the more carefully it must be protected during transfer and in the recipient country.
5. The recipient country and the organization responsible for processing the data located in the recipient country (e.g., a university)
   
   • Name, geographic location and contact details of the organization
   • Description of the recipient organization’s field of activity. This may affect data protection, e.g. due to industry practices or special legal protection that was granted to the organization.
6. Reasons why transfer to that country is necessary
   
   • Would there be any alternatives within the EU or EEA, and why is it not possible to use them?
   • Compare the benefits of the transfer with the potential disadvantages for data subjects.
7. Is it known that the data subjects have been informed of the transfer?
   
   • In case the General Data Protection Regulation (GDPR) has been in force in the EU at the time of collecting the original data and in case the need for data transfer was then already anticipated, the research subjects may have been informed of this.
   • It is usually not possible to inform the data subjects about new transfers of resources that have already been deposited in the Language Bank, as the Language Bank has no knowledge of the identities of the data subjects. However, the public link of your privacy notice will be published on the website of the Language Bank, thus making the information accessible to the data subjects.
8. Description of the data transfer method
   
   • For example, will the material be copied as is from the Language Bank to another location; what transfer channel will be used.

Standard contractual clauses and supplementary safeguards in the context of transfers

In case the controller mentioned in the resource-specific data protection terms and conditions has assessed that the transfer of the data is justified in view of the risks, the controller can make an agreement on the transfer of the data with the organization receiving the data in the destination country (i.e., with your home organization). 

One possibility is to include, for example, the standard contractual clauses issued by the European Commission in the data transfer agreement. However, it will still be necessary to assess whether other supplementary measures are required to protect the personal data.

The supplementary measures may include, for example, other contractual terms and conditions on data protection, pseudonymization or anonymization of the personal data to be transferred, limitation of storage periods, consent of the research subject to the transfer of data, and encryption of the data.

Please note, however, that the parties may have different practices regarding such agreements, and the process may take time.

 

---

 

Last modified on 2026-05-26