Are you running a business and worried about who you are transferring data to?
Wondering what the laws are in relation to data transfers?
Perhaps you are using a third-party software supplier who have servers in the USA?
Maybe you are using a company based in Ireland to process your payments?
Maybe you have a subsidiary in Australia who you share personal data about your clients with?
Are you finding it all a bit over-whelming and too wordy?
Work through the questions below to determine what you need to consider (and do) to stay compliant with the UK data protection laws.
Is there a personal data transfer?
Under UK laws, if there is a transfer of personal data to a country outside of the UK then you need to think carefully about what you are doing. You need to make sure the transfer of the data is done in a compliant way and in line with the UK laws.
This includes scenarios where the personal data can simply be accessed via screens in a different location – so for example, if you have data stored on UK servers but colleagues in your Australian office can view the data, then even though you are not actually ‘sending’ the data, the fact that it is ‘accessible’ in the subsidiary’s office means that a transfer has taken place.
If there is a transfer, then read on…
Is it to a country covered by adequacy regulations/requirements?
Under UK laws, you are able to make a transfer of data to another country if that country is located in a country that is covered by the UK ‘adequacy regulations’. Countries covered by the adequacy regulations have been deemed by the UK, as having legal frameworks that provide adequate protection in respect of individuals data protection rights.
At the moment, the UK has adequacy regulations about these countries:
EU member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania., Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
EFTA Countries: Iceland, Norway and Liechtenstein
EU/EEA institutions/bodies/office/agencies: Gibraltar, Republic of Korea.
Other countries/territories/sectors: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
Partial findings of adequacy in Japan (private sector organisations only) and Canada (only data subject to Canada’s Personal Information Protection and Electronic Documents Act).
If the country you are transferring to is not listed above, then that county is not covered by the adequacy regulations. If the adequacy regulations do not apply, then you need to consider whether other appropriate safeguards are in place instead.
If not, are there appropriate safeguards in place?
There is a list of appropriate safeguards in Article 46 of the UK GDPR.
Under UK GDPR, the most usual safeguard is to use the standard contractual clauses – which means using the new ICO International Data Transfer Agreement (IDTA) or putting in place an appropriate SCC (EU Standard Contractual Clauses).
How should you get the appropriate safeguard put in place?
Follow this simple checklist:
1. You should firstly check your T&Cs with the third-party who you are sharing the data with – does it already contain an appropriate document to deal with the data transfer?
2. If not, then you should ask them if they have a transfer agreement for your review and signatures.
3. If they don’t have anything, then you should get an appropriate document drafted for their review and signature.
4. You may be wondering how you can do this!? The ICO have guidance and templates available here for the IDTA and the European Commission have guidance and templates here for the SCCs.
5. If you need help completing these templates (or getting them checked/reviewed) then get in touch – I offer a service where these templates can be tailored to your data transfers.
Is your existing SCC up to date?
If you already have a SCC in place then you need to check whether it is still valid. Are you using the ‘old version’? This is the EU SCCs dated 2010.
This old (2010) version of the SCCs should have been replaced with the new versions (published in 2021) before 27th December 2022. At which point the old version of the SCCs no longer became valid and if the new SCCs have not been implemented then the data transfer will not be compliant with the data protection laws.
What’s the difference between a SCC and the UK IDTA?
1. The new EU SCCs
Most organisations use the new EU SCCs when they have operations across the UK and EEA jurisdictions.
2. The UK IDTA – This is a separate, standalone agreement that can be used in the same way as the EU SCCs. It has been drafted (by the ICO) specifically for transfers of data from the UK and ensures compliance with the UK GDPR. Organisations are tending to prefer this document if they don’t have any operations within the EEA as there is no need to enter into two documents (the EU SCCs and the UK Addendum). In the IDTA, the dealing of data is dealt with neatly in one document. The IDTA simply places contractual obligations on organisations exporting data to another organisation in a different jurisdiction.
Is there another option? An exception perhaps?
Once you have analysed everything it may be that the country you are sending the personal data to is not covered by the adequacy regulations. You might be wondering if you must get a SCC/IDTA in place? Maybe the organisation you are sending the data to is being reluctant to sign something. If that’s the case then you may be able to transfer the data still….but only if you can fall within one of the 8 exceptions that are set out in Article 49 of the UK GDPR:
The eight exceptions are:
You have the explicit consent of the person the transferring data is about.
You have a contract with the person the transferring data is about, and the restricted transfer is necessary so you can carry out your obligations in that contract. Or, the restricted transfer is necessary so you can carry out pre-contract steps as requested by that person.
The restricted transfer is necessary for you to enter into a contract or to carry out your obligations under a contract. And that contract benefits the person the transferring data is about. (In this case the contract is not with that person).
The restricted transfer is necessary for important reasons of public interest.
The restricted transfer is necessary to establish whether you or someone else has a legal claim or defence, to make a legal claim or to defend a legal claim.
The restricted transfer is necessary to protect someone’s vital interests – this may or may not be the person the transferring data is about. To use this exception the person the transferring data is about must be physically or legally incapable of giving their consent to the restricted transfer.
The restricted transfer is from a public register and meets the relevant legal requirements relating to access to that public register.
The restricted transfer is a one-off transfer which is necessary to meet your compelling legitimate interests.
Please note that relying on one the above exceptions should only be done as a last resort. These exceptions will not provide the comfort to the data subjects about the safety of their data and will therefore not be in line with the general spirit of data privacy and protection.
If you are intending to rely on one of these exceptions, please get in touch, as there are specific requirements for each of the above and you should carry out proper analysis before relying on an exception to ensure full compliance is being met.