Governance and Compliance

Transfers Outside the EEA

Transferring personal data outside the European Economic Area (EEA)

Under the General Data Protection Regulation (‘GDPR’), there is a general prohibition on the transfer of personal data outside of the EEA unless specific conditions for transfer are met. This is to ensure that there is the same of level of protection in relation to personal data and that individual’s rights under the GDPR are not adversely affected.

The conditions that allow transfer fall into three areas:

  1. There are adequate levels of protection in the other country;
  2. Appropriate safeguards are in place; or
  3. There are certain specific circumstances which permit the transfer of data.

1. Adequate levels of protection

Personal data can be transferred to countries outside of the EEA if the European Commission has decided that the country ensures an adequate level of protection, i.e. equivalent to those required under the GDPR.

The European Commission publishes a list of countries that it has decided have adequate levels of protection. This list includes Andorra, Argentina, Canada (in relation to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Sheild framework). Further information can be found on the Commissioner’s webpages.

If you are not sure if the European Commissioner had decided that a country has adequate levels of protection, please contact the Data Protection Officer.

2. Appropriate safeguards

If personal data is transferred to a country outside of the EEA that is not recognised by the European Commission as having an adequate level of protection, then it can be transferred where the organisation receiving the personal data has provided adequate safeguards. Further, individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

Adequate safeguards include the use of standard data protection clauses published by the European Commission.

If you wish to transfer personal data on the basis of appropriate safeguards being in place, then advice should be sought from the Data Protection Officer about the use of approved standard data protection clauses.

3. Other permitted transfers

Where 1 and 2 do not apply, the GPDR provides that personal data can still be transferred outside of the EEA but only in certain specific circumstances as follows.

The transfer is:

i)      made with the individual’s informed consent;

ii)     necessary for the performance of a contract between the individual and the University or for pre-contractual steps taken at the individual’s request;

iii)    necessary for the performance of a contract made in the interests of the individual between the University and another person;

iv)    necessary for important reasons of public interest;

v)     necessary for the establishment, exercise or defence of legal claims;

vi)    necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or

Whether or not these circumstances apply, will depend on the legal basis for processing personal data. Where you are processing data on the basis of the University’s ‘public task’, the first three do not apply.

Advice must always be sought from the Data Protection Officer if you are transferring personal data outside of the EEA in the specific circumstances above.

Contacting the Data Protection Officer

If you need to contact the Data Protection Officer about transferring personal data outside of the EEA, please email at dpo@sussex.ac.uk.