Toolkit for the EU GDPR – 5) Transferring personal data outside the EU under GDPR

published on May 24, 2018

Background

This note is part of our series of “Toolkits” on specific key elements of the upcoming EU GDPR (General Data Pro-tection Regulation). If you are an enterprise based in the EU or you hold or process any personal data of any EU citizen you will need to ensure that you are compliant with the GDPR on and following its implementation date of 25 May 2018.

The GDPR will be implemented in the UK through the Data Protection Act 2018.

The GDPR does not seek to drastically alter the soon to be old UK regime (under Data Protection Act 1998) but it does add important additional pro-active requirements for compliance and enhanced data subject rights and pro-tections (as well as creating a more uniform EU-wide regime).

Disclaimer

This document is not a comprehensive explanation of the GDPR or the obligations under it and is not intended to provide advice. If you require any advice please contact us on the contact details provided further below.

What is the GDPR

The GDPR will replace the existing EU Data Protection Directive 1995 (95/46/EC) on the 25 May 2018. It seeks to update the data protection legislation in line with modern changes in technology and the way in which personal information is commonly used, processed and shared.

This note is an overview of the key considerations for entities transferring or transmitting personal data outside the EU. You must still ensure that any personal data you process (including personal data which you store) is compliant with the other provisions of the GDPR – please see our other GDPR Toolkits for more information on this.

When can personal data be transferred outside of the EEA?

The GDPR makes it clear that personal data may only be transferred outside of the EEA in limited circumstances, including:

If the European Commission has made a finding that the third country, territory or sectors within the third country ensures an adequate level of privacy protection (Adequacy Decision); or
the data controller or data processor provides appropriate safeguards; or
the data subject has provided explicit consent to the transfer.

Adequacy Decision

The European Commission will publish adequacy decisions regarding the safety of transferring personal data to a third country (outside the EEA), territory, industry sector etc. If the European Commission has deemed the third country, territory etc to be adequate personal data may be transferred.

The European Commission is required to periodically review its adequacy decision at least every four years and continuously monitor developments in third countries and international organisations that could affect any current adequacy decisions.

For a finding of adequacy to occur, the protection towards data subjects in the third country/ territory should be essentially equivalent to that ensured within the EEA.

It is important to note that an adequacy decision from the European Commission does not mean that the any company must not take active steps to protect any personal data. The company should also ensure it complies with the GDPR and steps should be taken to ensure the rights and protections of the data subject.

What are Appropriate Safeguards?

Appropriate safeguards include:

Having an agreement in place with the data transferee that includes standard contractual clause protecting data protection which have been adopted by the European Commission or adopted by a supervisory authority and approved by the European Commission.
If transferring intra-group, having binding corporate rules within the organization which protects data protection.
Transferring data to a transferee that is subject to an European Commission approved code of conduct or certification mechanism.

It is important that this protection provides the data subject with the rights and protections that they are entitled to under the GDPR.

Using clauses which have been adopted by Supervisory Authorities (in the UK it is the ICO) is a good way of ensuring that any safeguards within contracts are sufficient.

It is also possible to seek approved certification of data protection which demonstrate compliance with/ appropriate safeguards from an accredited body, the lead supervisory authority, European Data Protection Board.

The company should also ensure it complies with the GDPR and steps should be taken to ensure the rights and protections of the data subject.

Brexit

As the UK will have adopted the GDPR prior to Brexit (and there is no suggestion that the UL will adopt other rules post Brexit) it is likely that the European Commission will provide the UK with adequacy status once it has left the EU.

If data is being transferred from the EEA to the UK after Brexit than business policies and terms and conditions may need to be updated to reflect that the UK is no longer in the EU and any personal data will therefore be transferred outside of the EEA.

A risk adverse approach for EEA companies who currently transfer data to the UK (and with to continue to do so) would be to have safeguards in place in the event that the UK does not receive adequacy status from the European Commission i.e. by having Brexit clauses within agreements or by having draft agreements ready (which included European Commission approved contractual clauses) which will provide adequate safeguards.