GDPR-DOC-08-1 Procedure for International Transfers of Personal Data

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This procedure sets out how the organisation will meet, as a minimum, the requirements of the GDPR when transferring personal data to third countries or to an international organisation.

Areas of the GDPR addressed

The following article of the GDPR is addressed by this document:

• Chapter V – Transfers of personal data to third countries or international organisations

General guidance

If you’re going to transfer personal data outside of the EU, there are several hoops to jump through to ensure it stays legal. This will be affected by international politics and will change over time, so the important thing is to keep an eye on the website of the supervisory authority in your country and of the European Commission, both for the list of acceptable countries and for helpful guidance on areas such as standard contractual clauses (SCCs) and binding corporate rules. In July 2023, the EU US Data Privacy Framework came into force to allow transfers to the US under an adequacy decision, and an adequacy decision is also in place for the UK post-Brexit However, these areas are potentially subject to change, and it is important to keep up to date with developments in both of these areas.

Note that the current version of the EC standard contractual clauses (at the date of publication of the CertiKit toolkit) is now included in the toolkit and may be used where an adequacy decision is not in place. Check the European Commission website for any updates before using these SCCs.

Review frequency

We would recommend that this document is reviewed at least annually.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions

This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Procedure for International Transfers of Personal Data

DOCUMENT REF GDPR-DOC-08-1

VERSION 1

DATED [Insert date]

DOCUMENT AUTHOR [Insert name]

DOCUMENT OWNER [Insert name/role]

Revision history

Approval

1 Introduction

This procedure is intended to be used when putting in place a new arrangement for the transfer of personal data to a country outside of the European Union or to an international organisation. It may also be used when validating whether existing arrangements meet the requirements of the General Data Protection Regulation (GDPR).

An international organisation is defined by the GDPR as “an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries” (GDPR Article 4)

The intention of the GDPR is to protect the personal data of EU citizens wherever it is held; there are strict requirements governing where personal data can be transferred to and the measures that must be in place for such as transfer to be legal. The penalties for contravening the GDPR are significant, and care must be taken by [Organization Name] to ensure that we remain within the law at all times.

This procedure should be considered in conjunction with the following related documents:

• GDPR Controller-Processor Agreement Policy

• Data Protection Impact Assessment Process

• Records Retention and Protection Policy

• Data Protection Policy

• Data Subject Request Procedure

2 Procedure for international transfers of personal data

2.1 Determine the destination country or countries

In order to establish whether a transfer of personal data is legal under the GDPR, the destination country or countries must be firmly established, along with any other countries that will receive an onward transfer of the personal data as part of the arrangement.

This may also involve reaching a clear understanding of the legal basis of any international organisations that will be receiving the personal data, in particular the countries that are part of the agreement governing those organisations.

2.2 Establish whether an adequacy decision applies

Once a clear understanding of the destination country or countries of the personal data has been established, the list of countries and international organisations for which an adequacy decision applies must be consulted. This list is published in the Official Journal of the European Union and on the European Commission website (ec.europa.eu).

[Note: currently the list of countries subject to an adequacy decision may be found at:

https://commission.europa.eu/law/law-topic/data-protection/international-dimensiondata-protection/adequacy-decisions_en

and is as follows: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay

…but this is subject to change ]

An adequacy decision means that the European Commission considers the level of protection for personal data in that country to be acceptable and therefore transfers do not require any additional legal safeguards to be put in place. Adequacy decisions are regularly reviewed, at least every four years and can be repealed if the EC no longer considers that the country in question meets their requirements for protection of personal data.

2.3 Implement appropriate safeguards

If the country or one or more of the countries to which personal data is to be transferred is not subject to an adequacy decision from the EC, appropriate safeguards must be put in place to provide for data subjects’ rights and enforceable legal remedies.

There are several ways in which the GDPR allows for these safeguards to be provided. These are:

1. Between public authorities or bodies only, via a legally binding agreement which is capable of being enforced

2. Using binding corporate rules

3. Using standard data protection clauses adopted either by the European Commission or the relevant supervisory authority

4. Via an approved code of conduct

5. Via a certification scheme

The status of some of the above safeguards may change over time, as the GDPR becomes more mature and further guidance is issued both by the European Commission and the individual supervisory authorities.

The most appropriate method of providing protection for the rights of data subjects whose data will be transferred should be chosen and incorporated into the contractual clauses of the relevant agreement.

2.3.1 Binding corporate rules

The supervisory authority that is relevant to the transfer (usually in the country of the controller of the data) has the power to approve a set of binding corporate rules (BCRs) that may be used to cover the transfer of personal data from a data protection viewpoint.

These binding corporate rules are required by the GDPR to specify all aspects of the transfer, including how data protection will be provided, how data subjects will exercise their rights and how compliance will be verified. The full requirements are listed in Article 47 (“Binding corporate rules”) paragraph 2, points a) to n) of the GDPR.

The initial creation and approval (by the supervisory authority) of BCRs is a significant piece of work that must be approached with the full commitment of the senior management of [Organization Name] and may take a long time to achieve (more than twelve months is not uncommon). There may be an existing set of BCRs that may apply to the transfer being considered and advice should be sought from the legal department if it is intended to use this route to comply with the GDPR regarding a data transfer.

2.3.2 Standard contractual clauses

The European Commission and each of the individual supervisory authorities may create and maintain sets of model data protection clauses that are intended to be used in contracts that apply to the international transfer of personal data. When used in their entirety, these clauses are generally accepted as meeting the requirements of the GDPR to provide adequate safeguards.

To obtain the latest version of these clauses, refer to the website of the relevant supervisory authority or the European Commission.

2.3.3 Codes of conduct

Article 40 of the GDPR (“Codes of conduct”) provides for the drawing up of appropriate codes of conduct by organisations such as associations and industry bodies to address compliance with the GDPR. Organisations then agree to abide by the code of conduct and their compliance is monitored by the relevant association.

Such a code of conduct may be used to cover an international transfer of personal data and whether [Organization Name] has already, or could, sign up to such a code, may be investigated as a possible route to provide appropriate safeguards.

2.3.4 Certification schemes

Certification to an approved scheme may also be used to demonstrate that appropriate safeguards are in place to protect the transfer of personal data internationally. This will apply to both the sender and recipient of the data and will require that an approved certification scheme be available in the country of the recipient.

2.4 Other acceptable conditions for transfers of personal data

If an adequacy decision does not apply to the destination country and appropriate safeguards cannot be put in place via the above methods, a transfer of personal data may only be made internationally if one of the following situations applies:

1. The data subject explicitly consents to the transfer, having been informed of the risks

2. The transfer is necessary to meet contractual commitments to the data subject or the data subject asks for the transfer prior to contract

3. The transfer is in the data subject’s interests with regard to a contract

4. It is for important reasons of public interest (recognised by law)

5. The transfer is to do with a legal claim

6. The data subject’s vital interests are protected by the transfer or if they are unable to consent

7. The transfer is made from a public register

The specifics of each of these conditions must be reviewed directly from the GDPR Article 49 (“Derogations for specific situations”) before basing a transfer on them.

2.5 Exceptional transfers

If none of the conditions set out in this procedure apply, then an international transfer of personal data may only take place if all the following conditions apply:

1. The transfer is not repetitive

2. A limited number of data subjects is involved

3. It is for compelling legitimate interests which are not overridden by those of the data subject

4. All the circumstances of the data transfer have been assessed

5. Suitable safeguards are provided, based on the assessment

6. The assessment and the safeguards are documented

7. The supervisory authority is informed of the transfer

8. The data subject is informed of the data transfer and the reasons for it

9. The data subject is informed about his/her rights under the GDPR

Refer to GDPR Article 49 (“Derogations for specific situations”) paragraph 1 for the exact definitions of the above conditions.

2.6 Putting the transfer in place

Once the legal basis of the transfer of personal data has been established and approved, the mechanics of achieving the transfer should be addressed. These will vary according to factors such as the type and volume of data involved, the destination and the technology used.

Care must be taken to ensure that the safeguards that have been agreed to as part of the setting up of the transfer are adhered to and that evidence of their use is maintained for future audit purposes.

The website of the European Commission and the relevant supervisory authority should be monitored so that any changes that affect the legality or performance of the transfer are identified and acted upon.