Can I make international transfers of personal data under GDPR?
International transfers of personal date outside of the EAA are restricted under the General Data Protection Regulation (GDPR). So what does this mean for those of us who use big software companies and what, when and how can you legally transfer personal data across borders?
We recently held a webinar looking at financial advisers’ and financial planners’ questions around GDPR. We were asked whether firms need to check out every single supplier they use to see if they transfer data internationally. In short, the answer is yes - you need to check all suppliers that store or process information on your behalf. Failure to do so means you are handing clients’ personal information over to an organisation that might not be protecting it in line with GDPR.
Why international transfers of personal data are restricted
GDPR is a European law. Every country in the EU operates to the same requirements so if you send personal data within the EU you have the same protection. As soon as the data leaves the EU, it’s clear that legal protection of your privacy rights might not be the same. So GDPR requires all companies sending or storing data outside the EU to make sure the right protection controls are in place.
There’s a clear responsibility here - if your company is going to transfer personal data outside the EU (or, more accurately, the EEA, which includes Norway, Iceland and Liechtenstein) then it is responsible for safeguarding it.
Which countries can I transfer personal data to?
In practice, there are different things you are permitted to do and it depends on which country you’re sending the data to (or storing the data in). For example, some countries are deemed ‘adequate’ by the European Data Protection Board so it’s acceptable to use those countries. As at July 2018, these countries included Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay but you need to regularly check that adequacy decisions continue to permit data transfer to these countries.
The USA is not quite the same so you need to make sure that the company storing or using data there for you is part of the ‘EU-US Privacy Shield’ system.
Beyond these countries, there are ways to send or store data elsewhere but you must have complete (un-amended) standard contractual clauses in place with the receiver to ensure that the principles of GDPR still apply.
Data held by international software companies
Most large software companies (the likes of Google, Microsoft, Quickbooks, Xero, Mailchimp and Sage to name a few) may transfer your personal data to the US (and other countries). These organisations are highly likely to already have measures in place that you can find easily within their privacy notices and GDPR compliance information by just doing an internet search.
Some of these software companies let you choose to keep personal data within the EU.
Find out more about cross-border data transfers under GDPR
Astrid’s secure online data protection platform has complete guidance on what you need to do to get your international transfers set up properly and under control. Find out more about how we can help ensure your cross-border data transfers are compliant and meet all other requirements under GDPR.
Read the ICO guidance on international data transfers under GDPR here.
See how Astrid can help you become and remain GDPR compliant