Skip to content
Share

What UK businesses need to consider before making international transfers of personal data

Authors Guest Image
David Edwards Tuesday 8 February 2022

During everyday activities many businesses use technologies and software that involves the international transfer of employee and customer-related personal data. David Edwards, partner and head of Harrison Drury’s regulatory team, explains the difference between data transit and transfer and what business need to do to protect this personal data.

Personal data is information that relates to and identifies an individual, whether directly or indirectly.

With regards to the transferring of data, countries located in the European Economic Area (EEA) enjoy the protection of the General Data Protection Regulation (GDPR) framework, and the adequacy regulations exist between EEA countries and UK.

If personal data is transferred to countries outside of EEA, then individuals risk losing these protections. As such, transfers of personal data outside of EEA, or other locations that do not meet the adequacy regulation requirements – are restricted – unless the individual’s rights are, and can be shown to be, adequately protected, or a lawful exception applies.

At the outset, and before considering whether the transfer rules apply, it is important to distinguish between ‘transfer’ and ‘transit’.

Transit or transfer?

If personal data is merely electronically routed by a UK business through a third-party country to another UK business, then no transfer has occurred; providing that the personal data is not accessed or manipulated along the way. This is termed as data in transit as there is no intention that the personal data can be accessed or manipulated during transit.

However, if the destination of the personal data is outside of UK, then a transfer will have taken place, even if that personal data is to be accessed only in the UK. For example, a UK business whose IT function operates on or via servers based outside of UK, will have transferred personal data under those operations to those servers, even if the operations of the business are purely UK based.

What must businesses do before making an international transfer of personal data?

As an individual risks losing the protection of the UK GDPR data protection laws if their personal data is transferred by UK organisations outside of the UK, the ICO has produced a helpful checklist that will assist businesses before making any international transfer of personal data, which is briefly outlined below:

  1. Is the business planning to make a restricted transfer of personal data outside of the UK? If no, the transfer can be made. If yes go to Question 2.
  1. Does the business need to make a restricted transfer of personal data to meet its purposes? If no, the transfer can be made without any personal data. If yes go to Question 3.
  1. Are there UK ‘adequacy regulations’ in relation to the country or territory where the receiver is located or a sector which covers the receiver (which currently includes countries in the EEA and countries, territories or sectors covered by existing EU ‘adequacy decisions’)? If yes, the transfer can be made. If no go to Question 4.
  1. Have one or any of the ‘appropriate safeguards’ referred to in the UK GDPR been put into place? If yes, go to Question 5. If no go to Question 6.
  1. Having undertaken a risk assessment, we are satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime. If yes, the transfer can be made. If no, go to Question 6.
  1. Does an exception provided for in the UK GDPR apply? If yes, the transfer can be made. If no, in accordance with the UK GDPR, the transfer cannot be made.

What is a ‘restricted transfer’

A business makes a restricted transfer when:

  • it processes, or handles, personal data; and
  • it sends/exports that personal data, or makes that personal data accessible, to a receiver/importer outside of UK, EEA, or other location that meets the adequacy regulation requirements; and
  • the receiver is legally distinct from the business.

Undertaking a transfer impact assessment

If no adequacy regulation is in place in relation to the location where a business intends to transfer personal data, then before relying on any of the appropriate safeguards, the business must be satisfied that the personal data to be transferred, and the individuals that that data identifies and relates to, will be afforded an essentially equivalent level of protection to the UK data protection regime.

To do this, businesses should undertake a risk assessment that identifies the protections afforded by the appropriate safeguard on which they intend to rely and assesses the data protection regime of the destination country, including any likely public authority access to the data in that country.

If a business concludes that the appropriate safeguard may not provide individuals with adequate protection, then the only remaining avenue to lawfully allow the transfer is an exception (see below).

Setting appropriate safeguards

When considering making a restricted transfer of personal data, many businesses will likely find that the Standard Contractual Clauses (SCCs) are the most suitable appropriate safeguard to rely upon.

The SCCs are a set of model contractual clauses that set out the obligations of the exporter and importer (receiver) of the personal data, and the enforceable rights of the individuals that the personal data identifies and relates to.

UK businesses (exporters) should enter into a contract with receivers (importers) that incorporates the SCCs, before making any restricted transfer of personal data.

In practice, however, this may not always be possible.

If a business intends to make a restricted transfer of personal data by way of its proposed use of any service or software platform that is owned and operated by, for instance, a large tech company (think Google or Amazon) then, before making that transfer, the business should satisfy itself that either, the data is handled by that company in UK, EEA, or other location that meets the adequacy regulation requirements, or that the SCCs are reflected fully in the service agreement that accompanies the use of that service or software platform by the business.

If the SCCs are not fully reflected in the service agreement, then a business wishing to make a restricted transfer must be able to rely on one of the exceptions.

Exceptions

The exceptions include gaining explicit consent from individuals, and necessity of the transfer in order to perform contracts with individuals.

Gaining the explicit consent of individuals may appear to be the most straightforward exception for businesses to rely upon but gaining the consents in a lawful manner may not be easy.

International Data Transfer Agreement and Addendum

Following the ICO’s consultation last year, The Department for Culture, Media and Sport (DCMS) has laid before Parliament the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum (Addendum) to the European Commissions’ standard contractual clauses (SCCs).

If the documents are approved by Parliament and no objections are raised, then they will come into force on 21 March 2022. Exporters of personal data will be able to use the IDTA or the Addendum as a tool to enable compliance with Article 46 UK GDPR when making restricted transfers.

The importance of compliance

To ensure and demonstrate compliance, businesses must be aware of where they transfer personal data.

The easiest way to achieve this is to keep a centralised record of processing activities, which details how the business handles personal data; including where personal data is transferred, and the lawful basis for any transfer.

It is important to remember that one of the principles of GDPR is transparency. Businesses must tell individuals what they are doing with their personal data.

If the personal data of the employees or customers of a business is to be transferred outside of the UK, then those same employees or customers must be alerted to that fact; and if a restricted transfer of personal data is to be made, then the reasoning behind the decision that allows for that restricted transfer should be readily available.

Accordingly, privacy policies, privacy notices and other documentation required under UK GDPR should be routinely reviewed to make sure that they are accurate and up to date and to ensure they detail any international transfers of personal data, whether restricted or unrestricted.

If you wish to update your data privacy policies, or need help with any other data protection matter, please contact David Edwards in our regulatory team on 01772 258321.