Cross-Border Transfers of Personal Data
If you need to transfer personal data abroad and/or store it outside the UK or in a non-EEA country, you must ensure that, in accordance with the General Data Protection Regulation, the country or territory to which it is to be transferred ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
You can only transfer personal data to a country or international organisation outside the UK or EEA (as applicable) where either:
1. The country has been approved by the Information Commissioner’s Office for UK purposes, or the European Commission (EC) for EU-purposes, as having an adequate level of protection;
2. You can put adequate safeguards in place to protect the personal data, such as by using EC-approved standard contractual clauses or, for intra-group transfer purposes, approved and binding corporate rules. Since the invalidation of the EU-US Privacy Shield, this will likely be applicable for transfers to the US as well;
3. A specific exemption applies under data protection laws, including where the data subject has explicitly consented to the transfer, or the transfer is necessary for the performance of a contract.
We can assist you in assessing whether further safeguards are required to enable your cross-border transfers of personal data and implement the necessary documentation.
Please contact us for further information.