GDPR - Transferring data overseas
As with the Data Protection Act 1998, the General Data Protection Regulation (“GDPR”) imposes restrictions on the transfer of personal data to a third country or international organisation outside of the EU. It can only be transferred if one of the conditions for transfer set out in the GDPR is satisfied.
If your organisation processes personal data and transfers it overseas, has it taken steps to ensure such transfers comply with the GDPR?
What are the conditions for transferring personal data outside of the EU?
If your organisation transfers data outside of the EU, it must be able to satisfy one of the following conditions:
• Transfers on the basis of a European Commission finding of adequacy
Transfers may be made where the European Commission has decided that the third country ensures an adequate level of protection. For the current list of countries, please refer to ‘Commission decision on the decision of the protection of personal data in third countries’[http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm]. These decisions are monitored by the Commission.
No finding of adequacy has been made in relation to the US but the European Commission has agreed to the EU-US Privacy Shield which imposes stronger obligations on companies in the US to protect personal data. We will have to wait to see if a finding of adequacy by the European Commission will be made in favour of the UK following Brexit.
• Transfers are subject to appropriate safeguards
If there is no finding of adequacy in relation to the country where data is being transferred, transfers may be made where the organisation receiving the personal data has implemented adequate safeguards and enforceable data subject rights and effective legal remedies for data subjects are available. For example, legally binding corporate rules governing transfers between companies which have been approved by the Information Commissioner or agreements incorporating standard contractual clauses adopted by the European Commission.
In the absence of a finding of adequacy or appropriate safeguards, transfers of personal data outside of the EU should only take place if one of the following derogations specified in the GDPR can be met:
• The individual has explicitly consented to the transfer after being informed of the possible risk of such transfers.
• The transfer is:
o necessary to perform a contract between the individual and the data controller or to take steps at the individual’s request with a view to entering into a contract with the data controller; or
o necessary for the conclusion or performance of a contract concluded in the interest of the individual between the data controller and a third party.
• The transfer is necessary for important grounds of public interest (for example, crime prevention or detection).
• The transfer is necessary for the establishment, exercise or defence of legal claims.
• The transfer is necessary in order to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent.
• The transfer is made from a public register intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate legitimate interest (for example, the electoral roll or the register of companies’ directors).
• One-off or infrequent transfers that are necessary for the purposes of legitimate interests pursued by the controller or the processor where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations, and based on this assessment has where necessary adduced appropriate safeguards with respect to the protection of personal data.
Getting it wrong could mean a fine of up to 20 million euros or 4% of your organisation’s worldwide annual turnover, whichever is higher.
The new Data Protection Bill was published in September 2017 and is currently making its way through Parliament. It is too early to know what form the final Data Protection Bill will take and it may differ from the GDPR in some respects. Brachers will continue to monitor the situation and highlight any points where differences are likely to have a material effect.
How can we help?
For further information and advice on the GDPR please contact our specialists:
GDPR - Data subjects’ rights Read more
GDPR - The myth about consent Read more
GDPR - do you know what’s coming? Read more
Frequently asked questions on GDPR Read more
GDPR – is your business ready? Read more
Making your contracts Brexit-proof Read more