Page: 1 2
11. International Transfers of Personal Data
Download this section as a print-friendly PDF document.
Under Data Protection legislation, there are different legal requirements for contracts depending on which country the data will be held in. The most important distinctions are whether information will be held:
- within the EEA
- by a country on the European Commission's approved list; or
- in another non-EEA country.
11.1 Transfers of Personal Data to European Economic Area (EEA) Countries
The countries which constitute the EEA are the 28 members of the European Union, together with Lichtenstein, Norway and Iceland. The full list is available on Europa, the website for the Eupean Union
These countries are considered to ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This means that transfers of personal data between those countries are automatically permitted.
However it is unwise to assume that transfers of personal data to, or from, other EEA States will always be straightforward. Prior to beginning any personal data transfers to EEA States, University staff should:
- Evaluate the relevant national legal and administrative compliance criteria for personal data transfers in all countries involved
- Liaise with appropriate officers in institutions/organisations to, or from, whom data is to be transferred, to allocate responsibility for ensuring that appropriate legal and administrative formalities have been satisfied
- Document both the legal and administrative requirements, and the agreed responsibilities of the respective parties, ideally in a contractual document, with appropriate warranties and indemnities in case of breach
Template clauses to incorporate into an existing agreement and a separate standalone template agreement are available from the Information Governance Manager.
11.2 EU Commission Approved List
11.2.1 Some countries outside the EEA have been officially deemed by the EU Commission to have an adequate level
of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The EU Commission publishes a full list of approved countries, which includes Argentina, Canada, Switzerland, Guernsey and the Isle of Man.
11.2.2 Where the country has been formally assessed as providing adequate protections, the transfer is to be treated as a data transfer to an EEA country and the template clauses and agreements referred to in 11.1 above are to be used.
11.3 Transfers of Personal Data to Non-EEA Countries
Data Protection legislation contains specific provisions with regard to the transfer of personal data to countries outside the EEA. Article 46 of the GDPR states "a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available". This is qualified by a number of conditions e.g. personal data may be transferred to a country without an adequate level of protection where the data subject has given consent to the transfer.
11.3.1 University staff should ensure that there are clear and documented procedures and administrative responsibilities for the transfer of personal data to non-EEA countries. University staff should consult this checklist when considering if a transfer of personal data is proposed.
11.4 Transfers of Personal Data to USA under Safe Harbor Scheme
Formerly, the US Safe Harbor Scheme gave businesses an assurance that if they transferred personal data to members in the USA, they would satisfy the legal requirement that personal data transferred outside the EU was adequately protected. However, in a recent decision by the Court of Justice of the European Union (CJEU) that assurance has now been removed. The Office of the UK Information Commissioner (ICO) has commented that:
‘The judgment did not strike down Safe Harbor itself, but focused on the Commission Decision that had given the assurance to businesses. That means there is still a measure of protection for personal data transferred under the scheme – the privacy principles that members sign up to are still positive, for instance. But the assurance that meant Safe Harbor was automatically considered to provide the adequate protection required under Data Protection legislation is no longer there.’
Negotiators for the European Commission and the US State Department had already been attempting to formulate a new deal for months, but the ruling put them under pressure to conclude the talks. A new agreement was reached in early February which is called the EU-US Privacy Shield. Under its terms:
- The US will create an ombudsman to handle complaints from EU citizens about the Americans spying on their data
- The US Office of the Director of National Intelligence will give written commitments that Europeans' personal data will not be subject to mass surveillance
- The EU and US will conduct an annual review to check the new system is working properly
- European data privacy watchdogs will work with their US counterpart, the Federal Trade Commission, to address any flagged problems
- Companies could be prevented from making use of the deal if they are found to fail to comply with privacy safeguards
The UK ICO’s has produced guidance which can be found here https://ico.org.uk/media/for-organisations/documents/2014413/data-transfers-to-the-us-and-privacy-shield.pdf
Any staff who have concerns about current agreements or are contemplating future ones should contact the Information Governance Manager.
11.5 Exceptions to Prohibition on Data Transfer
Data Protection legislation provides a number of exceptions to the prohibition on the transfer of the personal data in question, details of which are given with the checklist above. provides a number of exceptions to the prohibition on the transfer of the personal data in question, details of which are given with the checklist above.
11.5.1 Use of exceptions
Any use of these exceptions must be fully documented in order to justify the basis for any transfer made to a third country, in case of a challenge made by either the Information Commissioner or in the courts.
Page: 1 2