Transfers of personal data from within the UK to a recipient in another country. Is your business compliant with the UK data protection law requirements as regards the legal methods of transfer?
For international data transfers, the laws to consider include the retained EU law version of the GDPR and the Data Protection Act 2018 (DPA 2018), in this newsletter together referred to as “UK GDPR”.
For the purposes of this newsletter, a recipient means a separate organisation or individual to the transferor of the personal data.
This newsletter does not cover transferors who are public authorities or bodies, or rules relating to public interests or protection of vital interests of individuals.
In order to transfer personal data, a transferor must ensure that it is legally able to do so, so as to avoid the risk of possible consequences as referred to below. Such legal basis may include: reliance on a UK adequacy decision, the use of adequate safeguards, or reliance on a derogation. Please see below for further details on these three concepts.
Can a business rely on a UK adequacy decision in connection with the transfer?
Firstly, a business should consider if the transfer of personal data (subject to UK GDPR) to a recipient in another country is covered by a UK adequacy decision.
A UK adequacy decision is a finding by the relevant UK Secretary of State, that a country, territory, sector, or international organisation offers levels of data protection that are equivalent to that in the UK. A UK adequacy decision means that personal data can be transferred freely (in accordance with the terms of the decision) without the need for further authorisation from a supervisory authority.
Guidance published by the UK Government on countries (territories, sectors and organisations) deemed adequate in this regard can be found here. Since the time of publication of this guidance, a UK adequacy decision has also been confirmed for the Republic of Korea, further details can be found here.
If reliance on an adequacy decision is not possible, is it possible to use an adequate safeguard?
In the absence of being able to rely on an adequacy decision, a transferor should consider whether it is able to put in place an adequate safeguard as a legal transfer mechanism.
Examples of adequate safeguards include the following (this list is not exhaustive):
- Standard data protection clauses in the form of a template adopted by the Information Commissioner (ICO).
- Binding corporate rules (agreements made between organisations within a corporate group).
- Compliance with an approved code of conduct approved by the ICO.
- Contractual clauses authorised by the ICO.
- Certification under an approved mechanism.
The transferor will only be able to put in place an adequate safeguard if it can establish that the enforceable data subject rights and effective legal remedies for data subjects are available in the recipient location. The UK Information Commissioner (ICO) recommends the completion of a transfer risk assessment for this purpose.
What about exemptions (known as derogations) for specific situations?
Alternatively, the transferor should establish whether it is possible to rely on a statutory exemption (which may be available in limited circumstances). Such exemptions may include any of the following (this list is not exhaustive):
- The data subject has explicitly consented to the specific transfer, after having been informed of the possible risks that arise.
- The transfer is necessary to perform a contract and is a proportionate way of achieving the purpose. This exception will only be available in limited circumstances and will not apply if a business can reasonably achieve the same purpose by some other means.
- To establish, exercise or defend legal claims.
What are the consequences of failing to put in place a legitimate transfer mechanism?
Transferring personal data from the UK to a recipient outside of the UK without a legitimate transfer mechanism in place could lead to enforcement action by the ICO. The ICO is granted powers to investigate and impose fines of up to £17.5 million (or in the case of an undertaking up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher).
Data subjects may also bring complaints or civil claims, potentially leading to bad PR, compensation pay-outs and costs.
Businesses involved in transfers of personal data from the UK to recipients in other countries. What next steps should you take?
- A business should identify if it is transferring (or proposes to transfer) any personal data outside of the UK.
- If an international transfer is relevant, a business should identify the mechanism on which it relies (or will rely) to legitimately transfer that data.
- Where documentation in connection with such a mechanism is required, the transferor should ensure that documentation is in place before the transfer is initiated. This will include the requirement to complete a transfer risk assessment (where applicable). Businesses should stay up to date with the statutory format of the documentation required, especially given recent changes in the template documentation available in this regard from the ICO.
- Businesses should also ensure compliance, generally, with UK GDPR. (The full scope of the UK GDPR rules are not covered within this newsletter).
Businesses should also ensure compliance, generally, with UK GDPR. (The full scope of the UK GDPR rules are not covered within this newsletter).
How 3CS can help
For further help and advice about international data transfers or any other corporate or commercial legal matter, please get in touch with your usual 3CS contact.