GDPR Jargon Buster: International transfers

Many businesses that are subject to the UK GDPR will transfer personal data internationally. This may be because it is payroll data being processed by a company abroad or because a business operates across a number of countries. 

Whatever the reason, the UK GDPR’s rules on international transfers are likely to apply and these can be amongst the most challenging to interpret and use. 

What are the rules on international transfers?

UK GDPR contains a number of mechanisms permitting the transfer of personal data internationally

This is a decision made by the UK government that the destination country’s legal framework provides an adequate level of protection for personal data. Jurisdictions that currently benefit from an adequacy decision include the EU/EEA, Israel, New Zealand, South Korea and Switzerland. Recently, the UK has approved a UK-US Data Bridge which deems the US as providing an adequate level of protection in relation to data covered by the EU-US Data Privacy Framework - so any transferee must be an organisation listed in that.

In the absence of an adequacy decision, in practice, the most appropriate mechanism available to ensure that regular international transfers of personal data to a third party are compliant is likely to be  the use of these clauses.   

This requires the transferor and transferee of personal data to have contracts in place that contain the required contractual clauses. There are two forms of clauses that may be used:

• The International Data Transfer Agreement (IDTA); or
• The EU’s Standard Contractual Clauses, plus the UK’s Addendum to these.

Making a choice between the IDTA and the Addendum will depend on the individual scenario in which the personal data is being transferred. In either case, a Transfer Risk Assessment (TRA) must also be carried out before the transfers are made. This is a documented assessment that the relevant UK GDPR protections will not be undermined as a result of the transfer. 

It is possible for international groups of companies to transfer personal data around the group using this mechanism, provided the UK GDPR requirements for the rules are met. These are reasonably complex, and require an application to the UK ICO. 

If none of the above apply, there are a number of “derogations” which can be used in specific situations. The derogations are exceptions and are not intended to cover the regular transfers of personal data that a business might be expected to make. These include:

• The data subject has explicitly consented to the proposed transfer
• The transfer is necessary for the performance of a contract between the data subject and the controller 
• The transfer is necessary for important reasons of public interest
• The transfer is necessary in order to protect the vital interests of the data subject

Where none of the above can apply, the final paragraph of article 49 envisages that a “legitimate interests” test might be used to justify “one-off” transfers. However ICO guidance states this is “only for truly exceptional circumstances.”

Key pointers

• Do not assume that international intra-group transfers are exempt - they are not
• Always check where service providers or other transferees are holding the personal data they will receive - just because they are UK-based does not mean that no international transfers will take place, as the transferred personal data might be being stored abroad 
• If data is being transferred, does that country benefit from an adequacy decision, or are model clauses and a TRA required?
• Consider prohibiting a service provider from changing server location to avoid a compliant transfer becoming non-compliant

For more information or advice on data protection compliance, please contact Beverley Flynn or another member of the commercial and technology team.