GDPR and the transfers of personal data

I often get asked the question about transfers of personal data as part of the GDPR, and if this also applies to you and are unsure about how to deal with this important part of the 6 GDPR Principles in place, then I hope the following information and what to do lists and suggestions will help you to understand better.

At a glace.

Transfers of personal data to recipients in “third countries” (i.e. outside of the European Economic Area (“EEA”)) continue to be regulated and restricted in certain circumstances.

? The GDPR’s obligations are broadly similar to those imposed by the Data Protection Directive, with some compliance mechanism improvements available, notably the removal of the need to notify standard contract clauses to supervisory authorities, and encouragement for the development of transfer adequacy codes of practice and certification schemes.

? Data transfer compliance will remain a significant issue for multinational organisations and also for anyone using supply chains which process personal data outside the EEA.

? Breach of the GDPR’s data transfer provisions is identified in the band of non-compliance issues for which the maximum level of fines can be imposed (up to 4% of worldwide annual turnover).

? Non-compliance proceedings can be brought against controllers and/or processors.

To do list to help with compliance in this matter

• Review and map key international data flows.
• Consider what data transfer mechanisms you have in place and whether these will continue to be appropriate.
• Review questions included in standard procurement templates and contract clauses to ensure that information about your supplier’s proposed transfer of personal data for which you are responsible is understood and conducted in a compliant way.
• If you or your suppliers previously relied upon a Safe Harbor certification to ensure adequacy, this is no longer valid. This being said, you may consider seeking certification under its replacement, the Privacy Shield. In any event, you may want to re-evaluate your relationships with service providers and/or customers to establish a new legal basis that will justify on-going transatlantic data transfers.
• For intra group data transfers, consider whether BCRs would be a viable option.
• If you transfer personal data outside the EEA whilst supplying goods or services, expect to be questioned by customers about your (and your supplier’s) approach to transfer compliance.
• Keep an eye on developments regarding approved codes of conduct and certification schemes carried out in the context of an organisation’s activities.

Hope this information helps and if you need any more details on this or any of the other 6 GDPR principles, then please feel free to get back to me.