Cross-Border Transfers of Personal Data

If you need to transfer personal data abroad and/or store it in a non-EEA country, you must ensure that, in accordance with the eighth data protection principle under the Data Protection Act 1998, the country or territory to which it is to be transferred ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
There are specific exemptions, such as obtaining the data subject’s consent, but if one of these does not apply, you need to ensure that either:
  1. The country has been approved by the European Commission (EC) as having an adequate level of protection;
  2. Any US company to which you wish to transfer is signed up to the safe harbor framework agreed between the EC and the US government;
  3. You can prove the country has the adequate level of protection; or
  4. You can put adequate safeguards in place to protect the personal data, such as by using EC-approved model contract clauses or, for intra-group transfer purposes, approved and binding corporate rules.

Please contact us for further information.