The eighth data protection principle provides that: “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” (Part 1 of Schedule 1 to the DPA).
If you decide you need to transfer personal data outside the EEA, and the recipient is not in a country subject to a positive finding of adequacy by the Commission, nor signed up to the EU-US Privacy Shield, you will need to: -
conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects; or
if you do not find there is an adequate level of protection, put in place adequate safeguards to protect the rights of the data subjects, possibly using Model Contract Clauses or Binding Corporate Rules; or –
consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data. Global data transfers are complex to navigate and we can help you easily do this.
Other things to consider are:
Controller to controller clauses
Controller to processor clauses
For existing contracts, amending the clauses, incorporating the clauses in other contracts and inserting additional clauses
Making your own assessment of the adequacy of the level of protection for the rights of data subjects
Binding Corporate Rules
International outsourcing arrangements
We and our legal team can conduct a full review and propose the simplest, but most effective route to international compliance for you.