Division of the General Counsel, Governance and Compliance

Transfers Outside the EEA

Transferring personal data outside the European Economic Area (EEA)

 

Under the data protection legislation, there is a general prohibition on the transfer of personal data outside of the EEA unless specific conditions for transfer are met. This is to ensure that there is the same of level of protection in relation to personal data and that individual’s rights under the data protection legislation are not adversely affected. 

The conditions that allow transfer fall into three areas:

  1. There are adequate levels of protection in the other country;
  2. Appropriate safeguards are in place; or
  3. There are certain specific circumstances which permit the transfer of data.

1. Adequate levels of protection

Personal data can be transferred to countries outside of the EEA if the European Commission has decided that the country ensures an adequate level of protection, i.e. equivalent to those required under data protection legislation.

The European Commission publishes a list of countries that it has decided have adequate levels of protection. This list includes Andorra, Argentina, Canada (in relation to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Further information can be found on the Commissioner’s webpages: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

If you are not sure if the European Commissioner had decided that a country has adequate levels of protection, please contact the Data Protection Officer.

The European Commission had previously decided that personal data could be sent to the United States of America where the other party was certified under the EU-US Privacy Shield. A recent case of the European Court of Justice has decided that the European Commission’s decision was not valid.

The UK’s Information Commissioner has confirmed that we can continue to send personal data to the US where we are currently doing so under the Privacy Shield until they publish new guidance. But we are not able to use the Privacy Shield for any new transfers, for example, sharing data under a new IT contract or research collaboration agreement. It is still possible to send personal data to the US, but only with certain contractual clauses in place to provide adequate data protection. So please contact the Data Protection Officer for any new matters where you will be sending personal data to the US.

2. Appropriate safeguards

If personal data is transferred to a country outside of the EEA that is not recognised by the European Commission as having an adequate level of protection, then it can be transferred where the organisation receiving the personal data has provided adequate safeguards. Further, individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

Adequate safeguards include the use of standard data protection clauses published by the European Commission.

If you wish to transfer personal data on the basis of appropriate safeguards being in place, then advice should be sought from the Data Protection Officer about the use of approved standard data protection clauses.

3. Other permitted transfers

Data protection legislation allows personal data to be transferred outside of the EEA in some other specific circumstances such as where it is necessary to defend a legal claim. Advice must always be sought from the Data Protection Officer if you are transferring personal data outside of the EEA in these circumstances.