International Data Transfers
A transfer is considered to be across borders whether it is physically transferred or is accessed across borders. This can sometimes happen in obscure situations, for example, where a customer support agent from another country is granted access to a computer in the UK then this will constitute a data transfer if personal information is contained on the software platform.
Under the GDPR, data transfers are not restricted if made within the 28 EU members or 3 EEA member countries (Iceland, Liechtenstein and Norway). Transfers to other countries however are prohibited unless safeguards are in place.
It is necessary for a country to be designated as “adequate” by the EU Commission and this status is recorded in the White List Jurisdictions.
The position regarding data transfers to the US is somewhat uncertain. Since 2015, a Privacy Shield allows US companies to self-certify that they meet the data protection principles contained in the GDPR and there are a significant number of US companies who operate under this mechanism. However, the EU data protection authorities have continued to express concerns about its policies and the Privacy Shield is being reviewed annually.
It is also unclear whether the UK will be given adequate status post Brexit although adherence to all data protection legislation to date should theoretically make this likely.
Personal data must only be transferred across borders with the express consent of the data subject and this should be retained as evidence for audit purposes.
The transfer should also be necessary in performance of a contract between the data subject and the controller. Essentially, if appropriate safeguards are in place by the processor to keep the data secure and effective legal remedies are available to the data subjects then this should satisfy the requirements of the Regulations.
If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.
International Data Transfers Checklist
- Have you identified all cross-border data flows?
- Is any data exported outside the EEA? If so, do these countries offer an adequate level of protection?
- Do you export data to the US under a Privacy Shield?
- Have you obtained consent from the data subject to export their personal data?
- Is the data transferred in performance of a contract with the data subject?
- Do you have an appropriate contract with the controller or processor providing for compliance with the GDPR’s?
- As a controller, has the processor provided you with evidence of GDPR compliance?