page-banner

Practice Areas

International data transfers

EM Law are experts in advising on international data transfers. Our lead data protection lawyer is Neil Williamson who has extensive experience in advising clients on a wide range of data protection matters.

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements concerning the transfer of personal data outside the European Economic Area (EEA).

What are restricted international data transfers?

Broadly speaking, the GDPR restricts the transfer of data outside the EEA. The ICO states that a transfer is restricted if:

  • the GDPR applies to your processing of the personal data that you are transferring. In general, the GDPR applies if you are processing personal data in the EEA, and may apply in certain circumstances if you are outside the EEA and processing personal data about individuals in the EEA;
  • you are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply. Usually this is because they are located in a country outside the EEA; and
  • the receiver is a separate organisation or individual. So, for example, a transfer from a UK based organisation to its employee working outside the EEA would not be classified as a restricted transfer.

It should however be noted that “transfer” does not mean the same as transit. If personal data is simply electronically routed through a non-EEA country but the transfer is actually from one EEA country to another, then it is not a restricted transfer. To give an example, a controller in France may transfer personal data to a controller in Ireland via a server in Australia. As there is no intention that the personal data will be accessed or manipulated while in Australia, the transfer is only to Ireland and is not classed as a restricted transfer.

Which countries are located within the EEA?

The EEA countries consist of the EU member states and the EFTA States. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. The EEA states are Iceland, Norway and Liechtenstein. The EEA joint committee recently made a decision that the GDPR does apply to these countries therefore transfers to these countries are not restricted.

How can you make restricted international data transfers in compliance with the GDPR?

Adequacy decision

The first thing you should consider is whether the relevant country or international organisation is covered by an adequacy decision. The European Commission has the power to determine, on the basis of article 45 of the GDPR, whether a country outside the EU offers an adequate level of data protection. A transfer to an adequate country is the simplest way to transfer data outside the EEA; these transfers are permitted and legal under the GDPR.

Appropriate safeguards

In the absence of an adequacy decision by the Commission, personal data may only be transferred to a third country or an international organisation if the transfer is covered by appropriate safeguards. The appropriate safeguards include putting in place Binding Corporate Rules or standard contractual clauses approved by the EU.

Exceptions

In the absence of an adequacy decision, or of appropriate safeguards, restricted international data transfers may still take place if they fall within one of the exceptions set out in Article 49 of the GDPR. Some of the exceptions include:

  • Where the individual has given his or her explicit consent to the restricted transfer.
  • Where the transfer is necessary for the performance of a contract with the individual.
  • Where the transfer is necessary for important reasons of public interest.
  • Where the transfer is necessary for the establishment, exercise or defence of legal claims.

Although useful, these exceptions should be used narrowly and only in exceptional cases. It should also be noted that the consent and contract exceptions cannot be relied upon by public authorities in the exercise of their public powers.

If you are looking for assistance with international data transfers contact Neil Williamson.

EM Law Neil Williamson

Make An Enquiry

Reviews

Make An Enquiry Now

Please call us now on 0203 637 6374 or Make An Online Enquiry and we will soon be in touch with you

Close

Make An Enquiry

Can We Help You?

We are here to help with any of your questions.
Just click "Yes" below.

Yes
No
+

Please enter your question below

Send Your Question

Please enter your name and email address so than we can send you a response

Thank You!

Technical issue

Thank you for sending us your question. We will contact you shortly to discuss this.

Sorry, there is a technical issue. Please contact us by telephone: 0203 637 6374

Close