Anyone whose goal is GDPR compliance must first understand the rules on international data transfers. Failure to do so risks hefty GDPR fines and bankruptcy.

International data transfer restrictions apply regardless of how many and how big they are. The Information Commissioner's Office (ICO) website offers a questionnaire road map which, depending on your answers, points the best way forward for GDPR compliance. Remember, these restrictions apply only to personal data, and when an EU country transfers data to a non-EU country. EU-EU data transfers need no special provisions. Nor does routing data from one EU country to another via a non-EU country. Note the European Economic Area countries, Iceland, Norway and Liechtenstein, are classed as non-EU. But this is expected to change soon pending a decision by the EEA Joint Committee.

Be wary of putting personal data on an EU website accessible from outside the EU. Cloud computing or other web services can also land you in a world of pain if they’re the wrong side of the EU to you. Even something as innocuous as arranging staff work trips to non-EU countries can lead to a lapse in GDPR compliance.

If you’re transferring personal data outside the EU, then you should refer to Chapter V (Articles 44 to 49) of the GDPR for how it’s done. Such a transfer is called a ‘restricted transfer’. The ICO GDPR website has a more precise definition of this term.

Now let’s look at the three main provisos for transferring personal data to a non-EU country without rattling the GDPR cage. It’s best to consider these in order (at least for an easier life!) I’ll next list the exceptions found in Article 49 of the GDPR which permit international data transfers, regardless. These are essentially your last shot at GDPR compliance.

• Transfer Based on an EU Commission ‘Adequacy’ Decision

The EU Commission has approved certain so-called third countries to have an adequate level of data protection. In fact, this approval can also extend to specific industry sectors and territories within a third country. You can check out the EU’s current list of approved countries here.

Note, ‘adequacy’ now doesn’t mean adequacy forever. Also, in time, new countries will join the list - Japan should be on there soon. Post-Brexit, expect to see the UK listed as a third country. It’s always worth checking the list regularly.

While the USA is on the list, only those data transfers made through the Privacy Shield Framework are legitimate. A similar partial adequacy decision applies to Canada. Data transfers are subject to the Personal Information Protection and Electronic Documents Act.

The Privacy Shield framework will be discussed later in the article.

• Transfer Based on Appropriate Safeguards
  

So what if you’re processing personal data to a non-EU country which isn’t on the EU’s adequacy list? This is where you shift gears and explore the possibility of ‘appropriate safeguards’. These are mechanisms put in place to ensure both sender and receiver protect the data privacy rights of individuals. Any of the restricted transfer situations listed below are legitimate and offer GDPR compliance. For readability, I’ve only listed the main safeguards, but you can find further information in Articles 46 & 47 of the GDPR.

a. Public body transferring to another public body. This assumes both parties have signed a legally binding and enforceable data privacy contract.

b. Binding corporate rules (BCR). A BCR is an internal code of conduct detailing how that corporation handles personal data during a restricted transfer. Both sender and receiver must have signed up to the same BCR document which offers GDPR compliance. Multinational corporations first submit their BCRs to an EU supervisory authority for approval. 

c. Standard data protection clauses. Otherwise known as the ‘standard contractual clauses’ or ‘model clauses’. Data transfers are legal under GDPR compliance rules only if sender and receiver have signed a contract containing these. There are four sets of data protection clauses adopted by the EU Commission. Two cover controller-controller transfers; the other two cover controller-processor transfers. These contracts place legal obligations on both sender and receiver to protect the data privacy of individuals.

• Transfer Based on Exceptions
  

What if none of the above offers you GDPR compliance? The GDPR lists a few exceptions, which might yet make your data transfer legitimate. But these really are your Last Chance Saloon for GDPR compliance. These are listed below in brief. Again, you can find more detailed information by referring to Article 49 of the GDPR. The term individual BTW refers to the subject whose personal data is being transferred.

a. The individual has given explicit consent for a specific restricted transfer. Specific is key here; you can’t get consent for general transfers. The individual also must be informed of the receiver’s identity, the destination country and what data is being transferred. Said individual may at any time withdraw consent.

b. Sender has agreed a contract with the individual. Here, a restricted transfer may be essential to perform that contract. If so, the exception applies. But it can only be used occasionally, and never by public bodies exercising their public powers.

c. As b., but when the contract benefits an individual other than the signee whose data is being transferred.

d. The restricted transfer is in the public interest.

e. The restricted transfer is necessary to make, establish or defend a legal claim. 

f. The restricted transfer is necessary to save the individual during a medical emergency. The individual must be physically or legally incapable of giving consent. The threat of serious injury must outweigh any concern for data privacy infringement. General medical research is not covered.

g. The data transferred is from a public register or database. This includes registers of criminal convictions, company registers and land registers. It does not include private registers, such as credit reference databases. You also can't transfer public registers in their entirety, nor whole categories.

h. The restricted transfer is a one-off, and it is in your ‘compelling legitimate interests'. This is the mother of all exceptions, and everything written above this line mustn’t already apply. Compelling is the operative word here. An example might be an emergency transfer of personal data to protect a company’s network servers from malicious harm.

The Privacy Shield Framework

As mentioned above, the EU has made a partial adequacy decision on restricted transfers from the EU to the USA. Personal data transfers are only compliant when covered by the Privacy Shield framework.

Privacy Shield is a certification scheme overseen by the U.S. Department of Commerce. U.S. companies certified by the Privacy Shield Framework have the benefit of an adequacy decision from the EU for data transfers. In return they must self-certify to the Department of Commerce and commit to follow the Framework’s 23 privacy principles. They must also make a public commitment, enforceable under U.S. law.

Of these 23 privacy principles, there are seven which are core.

● Notice - Informing individuals which personal data the company collects and for what purpose.

● Choice - Allowing individuals to opt out of having their personal data disclosed to a third party. Prohibits data being used for other than its original purpose.

● Accountability For Onward Transfer -. Entering a robust data privacy contract with a third party controller. Personal data must be “processed for limited and specified purposes” subject to the individual’s consent.

● Security - Preventing the loss, misuse and unauthorised access of the personal data being transferred.

● Data Integrity and Purpose Limitation - Personal data must be accurate, complete and current. The data must be kept only for as long as is needed to fulfil its purpose. This doesn’t prohibit the archiving of data in the public interest, such as for journalism and scientific research.

● Access - Within reason, individuals must have access to their held personal data.

● Recourse, Enforcement and Liability - Data transfers must be backed up by “robust mechanisms” which monitor and enforce data privacy compliance. These mechanisms must offer prompt recourse for aggrieved individuals affected by non-compliance. This includes any damages due. The company accepts all responsibility for the transfer, including any third party non-compliance.

Note any similarities between Privacy Shield Framework and GDPR compliance?

In 2016, the Privacy Shield Framework replaced the old U.S.-EU Safe Harbor Framework, which is no longer recognised as adequate for data protection.

Data transfers to the USA through the Privacy Shield Framework uphold GDPR compliance. First check the company's certification covers the data you wish to transfer. You can find a list of companies in the Privacy Shield Framework here.

Conclusion

Auditing your data flows to ensure GDPR compliance for international data transfers has never been more vital. GDPR fines for infringing these rules can be as high as 20 million EUR or 4% of turnover for the preceding financial year (whichever is higher). If you haven’t done so already, it’s crucial you get GDPR training for yourself and your staff before it’s too late.

For details of our top-class GDPR training, call 0203 2878 243 or email us at info@priviness.eu

References

International transfers - ICO GDPR

International transfers - European Data Protection Supervisor

Back To all catagories