GDPR Register Transfer Data
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
The Transfer Data Register is a register to record all data transfer outside of the European Union within your privacy network.
The data entry form for each register entry allows you to record the following:
- The status of this transfer;
- Pending Assessment
- Pending Response
- Pending Authorisation
- Pending Action
- Data Transfer Title: e.g. Request for mailing list to be sent to USA.
- Notification Method: e.g. Email, Telephone call.
- Requesting Notes: Describe all details known about the request e.g. Mailing list to be sent to USA partners
- Data Assessment: What personal data will be effected by this request e.g. Contact information relating to web site sign ups for similar products. T&C using positive sign up, informed users data will be sent to partners.
- Data Subject: Based on the Data Assessment what actual data items/people are effected e.g. Data possibly efffected is Name, Address, Email, Telephone.
- Data Subject Response: The Data Subject(s) (Individual, Groups, Company, etc) response. e.g. Please remove all data from your systems.
- Recommendations: Based on the Data Assessment, Data Subject Response and Policy/Procedures in place, recomendations to close out this item. e.g. Transfer via encrypted ip file via VPN
- Actions: A log of all actions that were generated as part of this entry.
When can personal data be transferred outside the European Union?
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
Transfers on the basis of a Commission decision
Transfers may be made where the Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection.
Transfers subject to appropriate safeguards
You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Adequate safeguards may be provided for by:
- a legally binding agreement between public authorities or bodies;
- binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
- standard data protection clauses in the form of template transfer clauses adopted by the Commission;
- standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
- compliance with an approved code of conduct approved by a supervisory authority;
- certification under an approved certification mechanism as provided for in the GDPR;
- contractual clauses agreed authorised by the competent supervisory authority; or
- provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
The GDPR limits your ability to transfer personal data outside the EU where this is based only on your own assessment of the adequacy of the protection afforded to the personal data.
Authorisations of transfers made by Member States or supervisory authorities and decisions of the Commission regarding adequate safeguards made under the Directive will remain valid/remain in force until amended, replaced or repealed.
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations. A transfer, or set of transfers, may be made where the transfer is:
- made with the individual’s informed consent;
- necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
- necessary for the performance of a contract made in the interests of the individual between the controller and another person;
- necessary for important reasons of public interest;
- necessary for the establishment, exercise or defence of legal claims;
- necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
- made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
The first three derogations are not available for the activities of public authorities in the exercise of their public powers.
What about one-off (or infrequent) transfers of personal data concerning only relatively few individuals?
Even where there is no Commission decision authorising transfers to the country in question, if it is not possible to demonstrate that individual’s rights are protected by adequate safeguards and none of the derogations apply, the GDPR provides that personal data may still be transferred outside the EU. However, such transfers are permitted only where the transfer:
- is not being made by a public authority in the exercise of its public powers;
- is not repetitive (similar transfers are not made on a regular basis);
- involves data related to only a limited number of individuals;
- is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual); and
- is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.
In these cases, organisations are obliged to inform the relevant supervisory authority of the transfer and provide additional information to individuals.