Data Protection and International Transfers
The EU GDPR primarily applies to controllers and processors located in the European Economic Area (the EEA). This is comprised of the EU states plus Norway, Liechtenstein and Iceland. The UK has its own version of the GDPR following the end of the Brexit transition period.
Because individuals risk losing the protection of the GDPR if their personal data is transferred to a country with a lower standard of data protection law, both the EU and UK GDPR seek to restrict these transfers unless certain measures or safeguards are in palace.
The measures or safeguards most commonly used can be split into 4 types:
Transferring personal data to an approved 'adequate' country
The country the data is being transferred to has been approved as having an ‘adequate level of protection’ for personal data. Adequate countries include: New Zealand, Argentina, Israel, Japan (transfers to certain private sector organisations only) and Canada (transfers to certain private sector organisations only).
The European Commission determines which countries offer an adequate level of protection under EU GDPR. The UK has imported this list into UK GDPR and in future the UK government will make these decisions for the UK. One such UK decision has been the granting of adequacy to all EEA member states. This means personal data can be transferred from the UK to an EEA member state without the need for any additional safeguards.
During the bridging period, whilst the UK is awaiting an EU decision on whether to grant the UK adequacy for the purposes of transfers from the EEA to the UK, transfers can continue as they did during the transition period. If adequacy is granted transfers from the EEA to the UK will be able to continue the same terms as at present.
Standard contractual clauses
A restricted transfer can take place to a country that is not on the adequacy list if the exporter and the importer have entered a contract incorporating standard data protection clauses adopted by the Commission. This is known as the ‘International Data Transfer Agreement (IDTA)’.The UoM contracts Office and the Procurement team have created model contracts which include the IDTA template. The IDTAs that will need to be used will be dependent on the nature of the personal data you are processing and who the data subjects are. For example, if you are specifically targeting an online service to EU/EEA citizens based in the EEA you will need to comply with EU GDPR and the UK GDPR.
Ad-hoc transfers of personal data
In certain circumstances a more ad-hoc transfer of personal data can take place to a country not on the adequate list if one of the derogations (exemptions) applies. There are exceptions for when a transfer is necessary for a contract, when it is in the vital interests of an individual or where there is explicit consent. You should seek advice from the Information Governance Office, Contracts Office, or Procurement, before seeking to rely on any of the derogations.
Binding Corporate Rules
Some companies may rely on an internal code of conduct (Binding Corporate Rules) operating within a multinational group, which applies to restricted transfers of personal data from the group's EEA entities to non-EEA group entities. This may be a corporate group, or a group of undertakings or enterprises engaged in a joint economic activity, such as franchises or joint ventures. These must be approved by a regulator such the UK Information Commissioner before they can be used. If these are in place the company, you are seeking to transfer data to will indicate this in their terms and conditions or a contract.
It is likely that International Data Transfer Agreements (IDTA) will now need to be used for most transfers outside of the EEA. Because of the Schrems II judgement we must now seek some additional assurance that the other party is able to comply with the IDTA (there is a specific clause relating to the US and another for data importers based in other countries) before we agree them. This has been incorporated into our standard template agreements.
Read our decision tree to help guide you through international transfers of personal data.
Seek advice from the Contracts Office, the Procurement team or the Information Governance Office if you need to transfer personal data to the US or another non-adequate country and you have any doubts or issues regarding the additional assurance we are now required toseek before agreeing the IDTA.