There is a risk in losing the protection of the Data Protection Act (2018) when personal data is transferred outside of the EEA.
- International Transfer | Data Protection
- Borders to be Concerned About
- Adequate Countries Outside of the EU
- Alternatives Options for International Transfer
Personal data is considered to be transferred internationally when:
- It is physically transferred across a border; or
- It is accessed across borders.
Transfers of personal data are not restricted within the EU. Transfers to other countries are prohibited unless such country provides “an adequate level of data protection” as determined by the European Commission or unless certain other conditions are fulfilled.
- Faroe Islands
- Isle of Man
- New Zealand
- US - if the company is signed up to Privacy Shield - you can go on privacyshield.gov to check this.
- Use of EU-approved Model Contracts between the Data Exporter and Data Importer
- Binding Corporate Rules
- Codes of Conduct and Certification – an external Controller or Processor may commit to a scheme approved at EU level.
If none of these options applies, you can transfer the personal data if:
- you have the individual’s explicit consent;
- the transfer is necessary to enter into or perform a contract perform with the individual (e.g to provide a mandatory overseas placement);
- the transfer is necessary to enter into or perform a contract perform with another person/organisation for the benefit the individual (e.g. when the University takes out local insurance for students on overseas field trips); or
- the transfer is necessary for legal proceedings/advice.
(This is not exhaustive).
Consider whether any of your arrangements necessitate the international transfer of personal data. If so:
- Is that country considered adequate?
- If not, is there a contractual safeguard is in place?
- If not, can you rely on consent, contractual necessity etc.?
This should also be set out in your privacy notice.