Page 1

Procedure for International Transfers of Personal Data

Procedure for International Transfers of Personal Data

GDPR Toolkit Version 3 ŠCertiKit

Version 1

Page 1 of 12

[Insert date]


Procedure for International Transfers of Personal Data

Implementation Guidance (The header page and this section must be removed from final version of the document)

Purpose of this document This procedure sets out how the organisation will meet, as a minimum, the requirements of the GDPR when transferring personal data to third countries or to an international organisation.

Areas of the GDPR addressed The following articles of the GDPR are addressed by this document: Chapter V – Transfers of personal data to third countries or international organisations

General Guidance If you’re going to transfer personal data outside of the EU there are a number of hoops to jump through to ensure it stays legal. This will be affected by international politics and will change over time so the important thing is to keep an eye on the website of the supervisory authority in your country both for the list of acceptable countries and for helpful guidance on areas such as binding corporate rules.

Review Frequency We would recommend that this document is reviewed at least annually.

Toolkit Version Number GDPR Toolkit Version 3

Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select,

Version 1

Page 2 of 12

[Insert date]


Procedure for International Transfers of Personal Data

Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.

Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or

Version 1

Page 3 of 12

[Insert date]


Procedure for International Transfers of Personal Data

guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 12

[Insert date]


Procedure for International Transfers of Personal Data

[Replace with your logo]

Procedure for International Transfers of Personal Data

Document Ref. Version: Dated: Document Author: Document Owner:

Version 1

Page 5 of 12

GDPR-DOC-08-1 1 [Insert date]

[Insert date]


Procedure for International Transfers of Personal Data

Revision History Version Date

Revision Author

Summary of Changes

Distribution Name

Title

Approval Name

Version 1

Position

Signature

Page 6 of 12

Date

[Insert date]


Procedure for International Transfers of Personal Data

Contents 1

INTRODUCTION ....................................................................................................................................... 8

2

PROCEDURE FOR INTERNATIONAL TRANSFERS OF PERSONAL DATA ............................... 9 2.1 DETERMINE THE DESTINATION COUNTRY OR COUNTRIES ....................................................................... 9 2.2 ESTABLISH WHETHER AN ADEQUACY DECISION APPLIES ........................................................................ 9 2.3 IMPLEMENT APPROPRIATE SAFEGUARDS .............................................................................................. 10 2.3.1 Binding Corporate Rules ............................................................................................................ 10 2.3.2 Standard Data Protection Clauses ............................................................................................. 11 2.3.3 Codes of Conduct ....................................................................................................................... 11 2.3.4 Certification Schemes ................................................................................................................. 11 2.4 OTHER ACCEPTABLE CONDITIONS FOR TRANSFERS OF PERSONAL DATA .............................................. 11 2.5 EXCEPTIONAL TRANSFERS ................................................................................................................... 12 2.6 PUTTING THE TRANSFER IN PLACE....................................................................................................... 12

Version 1

Page 7 of 12

[Insert date]


Procedure for International Transfers of Personal Data

1 Introduction This procedure is intended to be used when putting in place a new arrangement for the transfer of personal data to a country outside of the European Union or to an international organisation. It may also be used when validating whether existing arrangements meet the requirements of the General Data Protection Regulation (GDPR). An international organisation is defined by the GDPR as “an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries” (GDPR Article 4). The intention of the GDPR is to protect the personal data of EU citizens wherever it is held; there are strict requirements governing where personal data can be transferred to and the measures that must be in place for such as transfer to be legal. The penalties for contravening the GDPR are significant and care must be taken by [Organization Name] to ensure that we remain within the law at all times. This procedure should be considered in conjunction with the following related documents: • • • • •

GDPR Controller-Processor Agreement Policy Data Protection Impact Assessment Process Records Retention and Protection Policy Privacy and Personal Data Protection Policy Data Subject Request Procedure

Version 1

Page 8 of 12

[Insert date]


Procedure for International Transfers of Personal Data

2 Procedure for International Transfers of Personal Data 2.1

Determine the destination country or countries

In order to establish whether a transfer of personal data is legal under the GDPR, the destination country or countries must be firmly established, along with any other countries that will receive an onward transfer of the personal data as part of the arrangement. This may also involve reaching a clear understanding of the legal basis of any international organisations that will be receiving the personal data, in particular the countries that are part of the agreement governing those organisations.

2.2

Establish whether an adequacy decision applies

Once a clear understanding of the destination country or countries of the personal data has been established, the list of countries and international organisations for which an adequacy decision applies must be consulted. This list is published in the Official Journal of the European Union and on the European Commission website (ec.europa.eu). [Note: currently the list of countries subject to an adequacy decision may be found at http://ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.htm and is as follows: Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay ‌but this is subject to change] An adequacy decision means that the European Commission considers the level of protection for personal data in that country to be acceptable and therefore transfers do not require any additional legal safeguards to be put in place. Adequacy decisions are regularly reviewed, at least every four years and can be repealed in the event that the EC no longer considers that the country in question meets their requirements for protection of personal data. A special case in this area is that of the EU-US Privacy Shield which covers transfers of the personal data of EU citizens to the USA. US organisations that sign up to the Privacy Shield may store and process such personal data as long as they meet strict safeguards that are equivalent to the requirements of the GDPR. Personal data may effectively be transferred to such US organisations as if an adequacy decision applied. [Note: the list of organisations that are active in the EU-US Privacy Shield is here –

Version 1

Page 9 of 12

[Insert date]


Procedure for International Transfers of Personal Data

https://www.privacyshield.gov/list ] …and is also subject to change]

2.3

Implement appropriate safeguards

In the event that the country or one or more of the countries to which personal data is to be transferred is not subject to an adequacy decision from the EC, appropriate safeguards must be put in place to provide for data subjects’ rights and enforceable legal remedies. There are a number of ways in which the GDPR allows for these safeguards to be provided. These are: a) between public authorities or bodies only, via a legally binding agreement which is capable of being enforced b) using binding corporate rules c) using standard data protection clauses adopted either by the European Commission or the relevant supervisory authority d) via an approved code of conduct e) via a certification scheme The status of some of the above safeguards may change over time, as the GDPR becomes more mature and further guidance is issued both by the European Commission and the individual supervisory authorities. The most appropriate method of providing protection for the rights of data subjects whose data will be transferred should be chosen and incorporated into the contractual clauses of the relevant agreement. 2.3.1

Binding Corporate Rules

The supervisory authority that is relevant to the transfer (usually in the country of the controller of the data) has the power to approve a set of binding corporate rules (BCRs) that may be used to cover the transfer of personal data from a data protection viewpoint. These binding corporate rules are required by the GDPR to specify all aspects of the transfer, including how data protection will be provided, how data subjects will exercise their rights and how compliance will be verified. The full requirements are listed in Article 47 (“Binding corporate rules”) paragraph 2, points a) to n) of the GDPR. The initial creation and approval (by the supervisory authority) of BCRs is a significant piece of work that must be approached with the full commitment of the senior management of [Organization Name] and may take a long time to achieve (more than twelve months is not uncommon). There may be an existing set of BCRs that may apply to the transfer being considered and advice should be sought from

Version 1

Page 10 of 12

[Insert date]


Procedure for International Transfers of Personal Data

the legal department if it is intended to use this route to comply with the GDPR with regard to a data transfer. 2.3.2

Standard Data Protection Clauses

The European Commission and each of the individual supervisory authorities may create and maintain sets of model data protection clauses that are intended to be used in contracts that apply to the international transfer of personal data. When used in their entirety, these clauses are generally accepted as meeting the requirements of the GDPR to provide adequate safeguards. To obtain the latest version of these clauses, refer to the website of the relevant supervisory authority. 2.3.3

Codes of Conduct

Article 40 of the GDPR (“Codes of conduct�) provides for the drawing up of appropriate codes of conduct by organisations such as associations and industry bodies to address compliance with the GDPR. Organisations then agree to abide by the code of conduct and their compliance is monitored by the relevant association. Such a code of conduct may be used to cover an international transfer of personal data and whether [Organization Name] has already, or could, sign up to such a code, may be investigated as a possible route to provide appropriate safeguards. 2.3.4

Certification Schemes

Certification to an approved scheme may also be used to demonstrate that appropriate safeguards are in place to protect the transfer of personal data internationally. This will apply to both the sender and recipient of the data and will require that an approved certification scheme is available in the country of the recipient.

2.4

Other acceptable conditions for transfers of personal data

In the event that an adequacy decision does not apply to the destination country and appropriate safeguards cannot be put in place via the above methods, a transfer of personal data may only be made internationally if one of the following situations applies: a) the data subject explicitly consents to the transfer, having been informed of the risks b) the transfer is necessary to meet contractual commitments to the data subject or the data subject asks for the transfer prior to contract c) the transfer is in the data subject’s interests with regard to a contract d) it is for important reasons of public interest (recognised by law)

Version 1

Page 11 of 12

[Insert date]


Procedure for International Transfers of Personal Data

e) the transfer is to do with a legal claim f) the data subject’s vital interests are protected by the transfer or if they are unable to consent g) the transfer is made from a public register The specifics of each of these conditions must be reviewed directly from the GDPR Article 49 (“Derogations for specific situations”) before basing a transfer on them.

2.5

Exceptional Transfers

If none of the conditions set out in this procedure apply then an international transfer of personal data may only take place if all of the following conditions apply: a) The transfer is not repetitive b) A limited number of data subjects is involved c) It is for compelling legitimate interests which are not overridden by those of the data subject d) All of the circumstances of the data transfer have been assessed e) Suitable safeguards are provided, based on the assessment f) The assessment and the safeguards are documented g) The supervisory authority is informed of the transfer h) The data subject is informed of the data transfer and the reasons for it i) The data subject is informed about his/her rights under the GDPR Refer to GDPR Article 49 (“Derogations for specific situations”) paragraph 1 for the exact definitions of the above conditions.

2.6

Putting the Transfer in Place

Once the legal basis of the transfer of personal data has been established and approved, the mechanics of achieving the transfer should be addressed. These will vary according to factors such as the type and volume of data involved, the destination and the technology used. Care must be taken to ensure that the safeguards that have been agreed to as part of the setting up of the transfer are adhered to and that evidence of their use is maintained for future audit purposes. The website of the European Commission and the relevant supervisory authority should be monitored so that any changes that affect the legality or performance of the transfer are identified and acted upon.

Version 1

Page 12 of 12

[Insert date]

Gdpr doc 08 1 procedure for international transfers of personal data  
Gdpr doc 08 1 procedure for international transfers of personal data