Data Protection and International Transfers
The EU GDPR primarily applies to controllers and processors located in the European Economic Area (the EEA). This is comprised of the EU states plus Norway, Liechtenstein and Iceland. The UK has its own version of the GDPR following the end of the Brexit transition period.
Because individuals risk losing the protection of the GDPR if their personal data is transferred to a country with a lower standard of data protection law, both the EU and UK GDPR seek to restrict these transfers unless certain measures or safeguards are in palace.
The measures or safeguards most commonly used can be split into 4 types:
Transferring personal data to an approved 'adequate' country
The country the data is being transferred to has been approved as having an ‘adequate level of protection’ for personal data. Adequate countries include: New Zealand, Argentina, Israel, Japan (transfers to certain private sector organisations only) and Canada (transfers to certain private sector organisations only).
The European Commission determines which countries offer an adequate level of protection under EU GDPR. The UK has imported this list into UK GDPR and in future the UK government will make these decisions for the UK. One such UK decision has been the granting of adequacy to all EEA member states. This means personal data can be transferred from the UK to an EEA member state without the need for any additional safeguards.
During the bridging period, whilst the UK is awaiting an EU decision on whether to grant the UK adequacy for the purposes of transfers from the EEA to the UK, transfers can continue as they did during the transition period. If adequacy is granted transfers from the EEA to the UK will be able to continue the same terms as at present.
Standard contractual clauses
A restricted transfer can take place to a country that is not on the adequacy list if the exporter and the importer have entered a contract incorporating standard data protection clauses adopted by the Commission. These are known as the ‘standard contractual clauses’ (sometimes referred to as ‘model clauses’). The UoM contracts Office and the Procurement team has created template agreements that include these clauses. The SSCs that will need to be used will be dependent on the nature of the personal data you are processing and who the data subjects are. For example, if you are specifically targeting an online service to EU/EEA citizens based in the EEA you will need to comply with EU GDPR and the UK GDPR.
Ad-hoc transfers of personal data
In certain circumstances a more ad-hoc transfer of personal data can take place to a country not on the adequate list if one of the derogations (exemptions) applies. There are exceptions for when a transfer is necessary for a contract, when it is in the vital interests of an individual or where there is explicit consent. You should seek advice from the Contracts Office, Procurement or the Information Governance Office before seeking to rely on any of the derogations.
Binding Corporate Rules
Some companies may rely on an internal code of conduct (Binding Corporate Rules) operating within a multinational group, which applies to restricted transfers of personal data from the group's UK/EEA entities to non-UK/EEA group entities. This may be a corporate group, or a group of undertakings or enterprises engaged in a joint economic activity, such as franchises or joint ventures. These must be approved by a regulator such the UK Information Commissioner before they can be used. If these are in place the company, you are seeking to transfer data to will indicate this in their terms and conditions or a contract.
Read our decision tree to help guide you through international transfers of personal data.
Previously used safeguards
Privacy Shield
This safeguard operated until Summer 2020. It placed requirements on US companies certified by the scheme to protect personal data and provides for redress mechanisms for individuals and replaced another previous safeguard for the same kind of transfers, called Safe Harbour. The US government Department of Commerce oversaw certification under the scheme. It allowed transfers to be made to US companies that were members of the Privacy Shield scheme. The European Court of Justice ruled that Privacy Shield was invalid in a July 2020 judgement. This ruling, the so-called Schrems II judgement, stated that personal data can no longer be transferred to a US based company under the framework and no new contracts can be entered into that seek to rely on it.
It is likely that the Standard Contractual Clauses will now need to be used for most of these transfers. Because of the Schrems II judgement we must now seek some additional assurance that the other party is able to comply with the SCCs (there is a specific clause relating to the US and another for data importers based in other countries) before we agree them. This has been incorporated into our standard template agreements.
Seek advice from the Contracts Office, the Procurement team or the Information Governance Office if you need to transfer personal data to the US or another non-adequate country and you have any doubts or issues regarding the additional assurance we are now required to seek before agreeing the SCCs.
When does the UK and EU GDPR apply?
If people resident in an EEA state are specifically targeted with online services, or their behaviour is monitored then the personal data obtained will be subject to the EU GDPR no matter where in the world the data controller is based. The same applies where UK residents are targeted with these services, in this case the UK GDPR will apply no matter where the data controller is based. At present the EU and UK GDPR are identical but this is likely to change over time once the six-month ‘bridging period’ has ended.