Navigating the rules surrounding the transfer of personal data to different countries around the world can be complex. Multiple scenarios between controllers, processors and even entities within the same corporate group can throw up all kinds of questions.
What do I need to do?
Some points to consider:
1. Am I the data controller, or data processor?
2. Are data subjects aware about a potential data transfer and have they been provided with relevant details, or consents obtained (where required)? Check your privacy notices.
3. Have I undertaken a transfer risk assessment, to assess the level of data protection in the proposed receiving country? If no, is there an adequacy decision or derogation covering that country?
4. Have you undertaken due diligence on the data recipient in the other country, and is it safe to transfer? Are further measures needed to make the transfer securely?
5. Does your data processing/sharing agreement allow transfers to be made and if so, does this restrict transfers to another country? If allowed, what technical and organisation measures are in place to keep that data secure and what further mechanisms do you need to put in place?
Once you have considered the above, look at the country that you will be making the data transfer to and what additional measures (if any) are required to make that transfer.
International data transfers – mechanisms
If transferring outside the UK, then you need to ensure that the recipient country has ‘adequate measures’ in place for keeping that personal data secure, in accordance with UK GDPR. The UK has adequacy decisions in place for various countries to allow for transfers to take place without further measures being needed. This will not replace the need to still have an appropriate data processing or sharing agreement in place; the international data transfer mechanisms are additional to this.
Following Brexit, the EU put an adequacy decision in place for the UK’s data transfer with the EU, so these can still happen freely (at the moment) without further measures being needed. This may change if the UK data protection laws change significantly enough for the EU to withdraw its adequacy decision. We are monitoring the progress of the Data Protection and Digital Information Bill 2023-24 (which had its third reading on November 29th), in case the coming into force of this Bill has any impact on this.
If a data transfer is being made outside of the UK to a country where an adequacy decision is not in place, then additional measures are needed before the transfer happens. In the UK, this would be by way of the UK Information Commissioner’s Office’s (ICO) International Data Transfer Agreement (which includes a standard set of transfer terms).
Alternatively, if the personal data being processed includes both UK and EU data subjects, we would usually recommend using the EU Standard Contractual Clauses (SCCs), with the UK applicable Addendum, so it can be covered under one agreement. Other laws in other countries may also need to be considered.
If a US organisation is a signatory to the recently adopted EU-US Data Privacy Framework (DPF), then a data transfer to the US can take place without the need for additional measures, as it sets out standards that the US entity would have to comply with in order to receive that data. The UK has adopted the DPF (as from October 12th 2023), so if an entity is a signatory to the DPF, then a data transfer can take place from the UK under the DPF (and be deemed adequate), provided usual checks are completed (see list above).
Summary
Making data transfers outside of the UK will always need to be carefully considered, especially where the transfer requires additional measures to transfer in accordance with GDPR rules. If you’re ever unsure whether to make a transfer, always check and get advice where needed, including following any guidance from the UK ICO, to stay the right side of the law and the regulator!
Debbie Venn, Partner, DMH Stallard LLP
www.dmhstallard.com