INTERNATIONAL DATA TRANSFER
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
[Organisation name] may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Adequate safeguards may be provided for by:
Item 1) a legally binding agreement between public authorities or bodies
Item 2) binding corporate rules (agreements governing transfers made between organisations within a corporate group)
Item 3) standard data protection clauses in the form of template transfer clauses adopted by the Commission
Item 4) standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission
Item 5) compliance with an approved code of conduct approved by a supervisory authority
Item 6) certification under an approved certification mechanism as provided for in the GDPR
Item 7) contractual clauses agreed authorised by the competent supervisory authority or
Item 8) provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
The GDPR limits [Organisation name] ability to transfer personal data outside the EU where this is based only on [Organisation name] own assessment of the adequacy of the protection afforded to the personal data.
A transfer, or set of transfers, may be made where the transfer is:
Item a) made with the individuals informed consent
Item b) necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individuals request
Item c) necessary for the performance of a contract made in the interests of the individual between the controller and another person
Item d) necessary for important reasons of public interest
Item f) necessary for the establishment, exercise or defence of legal claims
Item e) necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent or
Item g) made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
The first three derogations are not available for the activities of public authorities in the exercise of their public powers.
INTERNATIONAL DATA TRANSFER PROCEDURE
To comply with the above Policy [Organisation name] will
Item a) Ensure that any transfer is made with the individuals informed consent (eg via opt-in, contract or other transparent notice)
Item b) Ensure that it is necessary for the purposes of the compelling legitimate interests of the organisation, provided such interests are not overridden by the interests of the individual.(eg there is no other practicable or cost effective solution / service available.)
Item c) Ensure that any suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.
Item d) Ensure that there is assessment of the adequacy of the protection afforded to the personal data. (eg by reference to certification, audit, inspection or similar)
If you have a DPO, you must seek their advice. The DPO should provide advice on the above. You should record your DPOs advice on the DPIA.
FORM
| PROPOSED INTERNATIONAL TRANSFER Summary notes, plus attached supporting documentation | |
| DATA PROCESSING IMPACT ASSESSMENT Summary notes, plus attached DPIA | |
| SAFEGUARDS Summary notes, plus attached Review, Report and Recommendation (that any suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data) | |
| SUMMARY RECOMMENDATION Summary notes, plus attached Review, Report and Recommendation (that it is necessary for the purposes of the compelling legitimate interests of the organisation, provided such interests are not overridden by the interests of the individual. (eg there is no other practicable or cost effective solution / service available.)) |
Signed
Data Protection Officer or Equivalent
Signed
Director or Equivalent
