• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > Governance & Compliance > Governance Services > Data Protection > International Transfers of Personal Data

​International Transfers of Personal Data


A passport to IndiaFurther guidance on international transfers of personal data is available in Section 11 of the Data Protection Code of Practice.


Checklist and Exceptions to Prohibition for Transfers to Non-EEA Countries

University staff should ensure that there are clear and documented procedures and administrative responsibilities for the transfer of personal data to non-EEA countries. In addition, Data Protection Legislation provides a number of exceptions to the prohibition on the transfer of the personal data in question.  The factors which University staff should consider if a transfer of personal data is proposed are in this checklist.


  Download the Checklist and Guidance on exceptions for transfers to Non-EEA countries


EU-US Privacy Shield (Safe Harbour replacement)

The EU-US Privacy Shield became fully operational from 1 August 2016. Companies can sign up to the Privacy Shield with the U.S. Department of Commerce who will then verify that their privacy policies comply with the high data protection standards required by the Privacy Shield.


Important information about the transfer of personal data to the United States

From 1 August 2016 the US Safe Harbour Scheme was replaced by the EU-US Privacy Shield. Information about the scheme can be found on the ICO's website and the European Commission's website, which gives the following overview:


"What is the Privacy Shield?

The Privacy Shield allows personal data to be transferred from the EU to a company in the United States, provided that the company there processes (e.g. uses, stores and further transfers) your personal data according to a strong set of data protection rules and safeguards. The protection given to your data applies regardless of whether you are an EU citizen or not.  


How does the Privacy Shield work?

To transfer personal data from the EU to the U.S. different tools are available such as contractual clauses, binding corporate rules and the Privacy Shield. If the Privacy Shield is used, U.S. companies must first sign up to this framework with the U.S. Department of Commerce. The obligation applying to companies under the Privacy Shield are contained in the "Privacy Principles". This Department is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. In order to be able to certify, companies must have a privacy policy in line with the Privacy Principles. They must renew their "membership" to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.


If you want to know if a company in the U.S. is part of the Privacy Shield you can check the Privacy Shield List on the website of the Department of Commerce (https://www.privacyshield.gov/welcome). This list will give you details of all the companies taking part in the Privacy Shield, the kind of personal data they use, and the kind of services they offer. You can also find a list of the companies that are no longer part of the Privacy Shield."

The following links provide current guidance:

Any staff who have concerns about current agreements or are contemplating future ones should contact Governance Services.

 Page last reviewed 29 March 2019