Are you complying with the GDPR when you transfer Personal Data?
Are you a UK based business? Are there situations in which you receive or transfer personal data about your clients from or to territories outside of the UK? If you have answered both these questions in the affirmative you will probably have to consider appropriate safeguards to ensure that you are operating within the framework of the GDPR and the UK GDPR (General Data Protection Regulation).
The GDPR primarily regulates the collection and processing of Personal Data by controllers and processors located in the European Economic Area (EEA). If Personal Data is being transferred from inside the EEA to outside the EEA it amounts to a transfer of Personal Data outside the protection of the GDPR (i.e. it is a 'restricted transfer'). (Personal Data is information that relates to an identified/identifiable individual. Identifiers include the individual's name, number, IP address or other details through which an individual can be identified- basically if it is possible to identify an individual directly from the information you are processing then that information may be Personal Data).
You are therefore making a restricted transfer if:
(1) The GDPR applies to your processing of the Personal Data you are transferring, i.e., if the Personal Data is being processed in the EEA or in certain circumstances if you are outside the EEA and are processing Personal Data about individuals in the EEA; and
(2) You are sending this Personal Data to a receiver not governed by the GDPR, (for example to a receiver located in a country outside the EEA); or
(3) The receiver is a separate individual/organisation which also includes the transfer of Personal Data to another company within the same group.
How do you make a restricted transfer without breaching the GDPR?
Some of the safeguards you must have in place to ensure that the restricted transfer is not in breach of the GDPR are as follows:
(1) The 'adequacy decision' - To start with, you can check if your transfer is covered by the EU Commission's 'adequacy decision', i.e. if the EU Commission has concluded that the legal framework in the receiving country/territory/international organisation provides 'adequate' protection for individuals' rights and freedom of their Personal Data. If it is covered by an adequacy decision you may proceed with the the restricted transfer provided you continue to comply with the rest of the GDPR. A list of the countries covered by the adequacy decision can be found on the European Commission's data protection website.
(2) Appropriate safeguards in the absence of an adequacy decision- In case there is no adequacy decision in respect of the country/territory or international organisation to which you wish to transfer Personal Data, ensure that 'appropriate safeguards' listed in the GDPR are in place before you make the restricted transfer. These appropriate safeguards ensure that the transferor as well as the receiver of the transferred data are legally required to protect the individuals' rights and freedom of their Personal Data. Some of the appropriate safeguards are:
(a) Legally binding instruments between the transferor and the receiver of Personal Data that provide for enforceable rights and effective remedies for the individuals whose Personal Data is being transferred.
(b) Binding Corporate Rules (BCRs)- These are an internal code of conduct relating to data protection followed by companies within a multinational group, i.e. they govern restricted transfers from the group's EEA entities to non EEA group entities. This also includes the flow of data to franchises and joint ventures. The BCRs must be submitted for approval to an EEA supervisory authority (which is usually the authority in the EEA state where the company's EEA head office is located.)
(c) Standard Contractual Clauses (SCCs)- You can make a restricted transfer if you and the receiver have entered into a contract incorporating standard data protection clauses adopted by the EU Commission or the Information Commissioner's Office (ICO) (Although please note that as per the ICO's website the ICO has not yet adopted any data protection clauses)
(d) Approved certification mechanism- You can make a restricted transfer if the receiver has been certified under a certification scheme approved by a supervisory authority.
(e) The GDPR exceptions- In case the restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, a transfer can be made under an 'exception' set out in Article 49 of the GDPR. However please note that you should use these as 'true exceptions' from the general rule that you should not not make a restricted transfer unless it is covered by an adequacy decision or there are appropriate safeguards in place. Some of these exceptions are:
(i) The individual/data subject has given explicit consent to the restricted transfer;
(ii) Occasional restricted transfers can be justified by the exception that the restricted transfer was necessary in order to perform the contract;
(iii) The restricted transfer has to be made for important reasons of public interest;
(iv) The restricted transfer has to be made in a medical emergency;
(v) A one- off restricted transfer, if on balance your compelling legitimate interests outweigh the rights and freedoms of the individual.
Transfer of Data under a No-Deal Brexit
As per the ICO's guidance on this subject, if the UK leaves the EU without a deal the UK's transfer rules will kick in. It is anticipated that:
(a) The UK's transfer rules will mirror the GDPR rules;
(b) Although the UK will make its own adequacy decisions after the exit, it will recognise existing EU adequacy decisions, approved EU SCCs and BCRs wherever possible;
(c) Transfer of Personal Data from the UK to the EEA will not be restricted but will be subject to transitional provisions for a UK adequacy decision to cover these transfers;
(d) A transfer of Personal Data from the EEA to the UK will have to comply with the GDPR transfer restrictions.
The above is a glimpse of some of the rules relating to the restricted transfer of data. Detailed information can be found on the ICO's website and should definitely be referred to if you're a global company transferring third party Personal Data from the EEA to non EEA group companies or if you are an organisation that regularly works with and passes personal information about clients in the EEA to partners/ collaborators/ authorities outside of the EEA.
References
ICO, 'International Transfers, Guide to GDPR for organisations, < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers>, accessed 4 December, 2019)
Author
Geeta Daswani- Dual-qualified solicitor and founder at The Daswani Law Company