The General Data Privacy Regulations (GDPR) is a set of laws to safeguard personal data and privacy for the European Union (EU) and European Economic Area (EEA). One may think that it does not affect international corporations, but the law still governs the movement of data out of the EU, and non-compliance could cost your company a fine of up to €20,000,000 or 4% global turnover, whichever is highest. Let the GDPR analysis experts at Blackhawk Intelligence break down the information you need to know.
Under article 44 of the GDPR, any transfer of personal data to a third country or international organisation for the purpose of processing, either before or after the transfer, is only allowed under certain conditions. These conditions take the form of a series of questions, as well as certain restrictions on the types of transfer that can occur.
The GDPR applies to controllers and processors within the EEA, meaning due to the risk of individuals losing the protection of GDPR if their data is moved outside of the EEA, the transfer of data outside the EEA is restricted, with certain exceptions. Transfers of this nature are known as restricted transfers.
Making a Restricted Transfer
You are making a restricted transfer if the following applies:
- The GDPR applies to your processing of the personal data you are transferring.
- You are sending personal data, or making personal data accessible to a receiver to which the GDPR does not apply. Typically because they are located in a country outside the EEA.
The receiver is a separate organisation or individual. The receiver cannot be employed by you or by your company.
- You collect information about individuals on paper, which is not ordered or structured in any way, and you send this to a service company located outside of the EEA.
Note that if you load personal data onto a public website that can be accessed from outside the EEA, then this is treated as a restricted transfer as well.
To make a restricted transfer you must answer a series of questions:
- Are you planning to make a restricted transfer of personal data outside of the EEA? If not, then you can make the transfer.
- Do you need to make a restricted transfer of personal data in order to meet your purposes? If not, then you can make the transfer without including personal data.
- Has the EU made an ‘adequacy decision’ in relation to the country or territory where the receiver is located or a sector which covers the receiver? If so, then you can make the transfer.
- Have you put in place one of the ‘appropriate safeguards’ referred to in the GDPR? If so, then you can make the transfer
- Does an exception provided for in the GDPR apply? If so, then you can make the transfer.
If you do not satisfactorily meet the above conditions, then the transaction is illegal and should not take place. Considering that the fines for doing so can be extremely high, especially for wilful non-compliance, ensure you’re aware of whether a transfer is restricted or not. You may want to engage a digital forensic services vendor such as Blackhawk to ensure that your company meets the legal criteria in all its data transfer practices. If illegal transfers are being made, this service can help locate any evidence and identify how to prevent similar transfers in the future.
Exceptions of restricted transfers under the GDPR
There are a few exceptions laid out in Article 49 of the GDPR which allows restricted transfers even without any adequacy decisions or appropriate safeguards. They can be summarised as:
- The individual has given explicit consent to the restricted transfer. This must be on a case-by-case basis and for occasional transfers only, you cannot obtain permission for general restricted transfers. The individual must have full and precise knowledge of the transfer.
- The restricted transfer is necessary in order to perform a contract with the individual. Specifically, the transfer must be necessary to perform the core purpose of the contract.
- You need to make the restricted transfer for important reasons of public interest. The transfer is in accordance with a UK or EU law that requires it, such as in the case of international co-operation. For example, an international agreement or convention (which the UK or EU has signed) that recognises certain objectives and provides for international co-operation
- You need to make the restricted transfer to establish, make or defend a legal claim. This is permitted for occasional transfers only, and there must also be a close connection between the need for the transfer and the relevant legal claim. The claim itself must have a basis in law and a formal legally defined process.
- You need to make the restricted transfer to protect the vital interests of an individual that is physically or legally incapable of giving consent. This applies in a medical emergency where the transfer is needed in order to give the medical care required. The imminent risk of serious harm to the individual must outweigh any data protection concerns.
- You are making the restricted transfer from a public register. The register must be created under UK or EU law and must be open to either the general public or any person who can demonstrate a legitimate interest.
- You are making a one-off restricted transfer and it is in your compelling legitimate interests. This is only in truly exceptional circumstances and should not be relied upon lightly. You must prove that you are unable to use any other exceptions or safeguards first, as well as show that the transfer is necessary for compelling legitimate interests.
Note that these exceptions depend on a wide variety of factors and often end up judged on a case-by-case basis due to the complexity of the GDPR law. ICO will not confirm whether your transfer is restricted or not, so you are forced to interpret these laws yourself. It’s wise to employ a GDPR specialist to make sure that your transfer is 100% legal.
With such heavy penalties for non-compliance, you cannot afford to take chances in your data transfer practices. Our forensics team can analyse your data security, giving you a full report on how your company could be breached and where. With Blackhawk, staying on the right side of GDPR is simply a matter of making a call.
To find out more about how we can help you, get in touch on +44 (0)20 8108 9317 or fill out our Online Form.
- +44 (0)20 8108 9317