international transfer

On 12 February 2019, the European Data Protection Board (EDPB) met for its seventh plenary session. You can see our blog on the full session here.

At this session, the EDPB adopted two information notes. The information notes offer guidance on data protection issues in the event of a no-deal Brexit, namely: data transfers generally and binding corporate rules lead supervisory authorities (BCR lead).

Data transfers in the event of a no-deal Brexit

The guidance is separated into three distinct sections.

Preparation for transfers of data from the EEA to the UK

The EDPB sets out five steps for businesses to take in advance of Brexit. Businesses who transfer data from the European Economic Area (EEA) to the United Kingdom (UK) should start preparing now. To prepare, the EDPB suggests the following:

I. Identify the processing activities that require the transfer of personal data

II. Determine the data transfer mechanism that is most appropriate on the facts

III. Prepare the relevant transfer mechanism in advance of 30 March 2019

IV. Indicate in internal documents that you will be transferring data to the UK

V. Update your privacy notices accordingly.

Continue Reading No-deal Brexit: EU regulators issue data transfer guidance

The Information Commissioner’s Office (ICO) has published new guidance on international data transfers (the guidance) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Ex-EU personal data transfers

The GDPR restricts the transfer of personal data to non-EU countries or international organisations.

The ICO has clarified that a transfer is restricted if:

  • The GDPR applies to the processing of in-scope personal data. GDPR Articles 2 and 3 set out the GDPR’s scope. The ICO states that the GDPR generally applies “if you are processing personal data in the EU”. The GDPR may also apply “in specific circumstances if you are outside the EU and processing personal data about individuals in the EU”.
  • An organisation sends personal data, or makes it accessible, to a receiver to which the GDPR does not apply. This will usually be because the receiver is located outside of the EU.
  • The receiver is a separate organisation or individual. The receiver could be an affiliate or subsidiary company, but not an employee of the transferring organization.

Transfer or transit?

The ICO states that transit of personal data is not the same as a transfer of personal data. If personal data is just electronically routed between EU countries via a non-EU country, no restricted transfer has taken place. The ICO gives the example of personal data transferring between Irish and French controllers through a server in Australia. No restricted transfer occurs where there is no intention that the personal data can be accessed or manipulated during transit.

Continue Reading ICO issues new guidance on international data transfers under GDPR