Data Protection Law
The UK company passes information about its employees to this HR service. These are international personal data transfers and, on the face of it, are prohibited by the GDPR. However, personal data transfers such as these happen every single day. So how does the GDPR cater for this and what should your business be doing to ensure that it stays data protection compliant?
Personal Data Transfers – What are Restricted Transfers?
A few months ago, the ICO published updated guidance in relation to international personal data transfers under the GDPR. In this guidance the ICO clarified that personal data transfers are restricted if:
- The GDPR applies to your processing of the personal data that you are transferring. In general, the GDPR applies if you are processing personal data in the EEA, and may apply in certain circumstances if you are outside the EEA and processing personal data about individuals in the EEA;
- You are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply. Usually this is because they are located in a country outside the EEA; and
- The receiver is a separate organisation or individual. So, for example, a transfer from a UK based organisation to its employee working outside the EEA would not be classified as a restricted transfer.
It should be noted that “transfer” does not mean the same as transit. If personal data is simply electronically routed through a non-EEA country but the transfer is actually from one EEA country to another, then it is not a restricted transfer. To give an example, a controller in France may transfer personal data to a controller in Ireland via a server in Australia. As there is no intention that the personal data will be accessed or manipulated while in Australia, the transfer is only to Ireland and is not classed as a restricted transfer.
Which countries are located within the EEA?
The EEA countries consist of the EU member states and the EFTA States. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. The EEA states are Iceland, Norway and Liechtenstein. The EEA joint committee recently made a decision that the GDPR does apply to these countries therefore transfers to these countries are not restricted.
How can you make restricted personal data transfers in accordance with the GDPR?
Before making personal data transfers that are restricted, you should consider whether the transfer is necessary. It may be that you can achieve your aims without actually sending data or you can make data anonymous so that it is not possible to identify individuals. If you decide that there is no other way, then clearly the transfer is necessary and the rights of individuals will have to be protected in another way.
The first thing you should consider is whether the relevant country or international organisation is covered by an adequacy decision. The European Commission has the power to determine, on the basis of article 45 of the GDPR, whether a country outside the EU offers an adequate level of data protection. A transfer to an adequate country is the simplest way to transfer data outside the EEA; these transfers are permitted and legal under the GDPR. Currently, there are full findings of adequacy for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. There are also partial findings of adequacy about Canada and the USA. The adequacy finding for Canada only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act. The adequacy finding for the USA only covers personal data transfers covered by the EU-US Privacy Shield framework. Adequacy talks are currently ongoing with South Korea and the adoption procedure of the adequacy decision concerning Japan was launched a few months ago.
In the absence of an adequacy decision by the Commission, personal data transfers may only be made to a third country or an international organisation if the transfer is covered by appropriate safeguards. These safeguards are set out in article 46 of the GDPR. The appropriate safeguards, which may be provided for without requiring any specific authorisation from a supervisory authority, include:
- a legally binding and enforceable instrument between public authorities or bodies;
- Binding Corporate Rules;
- standard contractual clauses adopted by the Commission;
- standard contractual clauses adopted by the supervisory authority and approved by the Commission;
- approved codes of conduct; and
- approved certification mechanisms.
In practice, the safeguards that are likely to be the most relevant are Binding Corporate Rules and standard contractual clauses.
In short, Binding Corporate Rules are internal rules designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA. Binding Corporate Rules can be used by both controllers and processors, provided that the data exporter is established in an EU member state. Binding Corporate Rules must be approved by the relevant data protection authority (in the UK this is the ICO) and in order to gain this approval, an applicant must demonstrate that it has in place adequate safeguards for protecting data throughout the organisation. Once implemented and operational, Binding Corporate Rules are much easier to maintain than a matrix of intra-group contracts and offer greater flexibility to organisations.
As Binding Corporate Rules do not cover transfers outside a corporate group, many companies opt for standard contractual clauses, also known as EU model clauses. At the moment there are three sets of standard contractual clauses; two sets for transfers from data controllers established in the EEA to data controllers established outside the EEA and one set for the transfer from data controllers established in the EEA to processors established outside the EEA. An important thing to remember with standard contractual clauses is that you must not amend them. Additional clauses may be added if necessary however these should be purely commercial in nature.
In the absence of an adequacy decision, or of appropriate safeguards, restricted personal data transfers may still take place if they fall within one of the exceptions set out in Article 49 of the GDPR. Some of the exceptions include:
- Where the individual has given his or her explicit consent to the restricted transfer.
- Where the transfer is necessary for the performance of a contract with the individual.
- Where the transfer is necessary for important reasons of public interest.
- Where the transfer is necessary for the establishment, exercise or defence of legal claims.
Although useful, these exceptions should be used narrowly and only in exceptional cases. It should also be noted that the consent and contract exceptions cannot be relied upon by public authorities in the exercise of their public powers.
While the rules on international personal data transfers may at first sight seem complicated, the GDPR offers a variety of solutions for all types of organisations. In a world more connected than ever, these solutions are a crucial addition to the new data protection laws.