Overview of the 8th principle
Sponsored Links
This presentation is the property of its rightful owner.
1 / 12

Overview of the 8th principle PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Overview of the 8th principle. Emma Butler Senior Policy Officer - international. #dpoc2012. What does it say? . Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection No transfer without adequacy

Download Presentation

Overview of the 8th principle

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Overview of the 8th principle

Overview of the 8th principle

Emma Butler

Senior Policy Officer - international


What does it say

What does it say?

  • Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection

  • No transfer without adequacy

  • Determine adequacy (different ways)

  • Derogations – where the principle doesn’t apply

The preferred approach

The preferred approach

  • 1Do you need to transfer personal data? Can the data be anonymised for example?

  • 2Is there a transfer? (consider transit, s1(3) - information held as data after transfer, Lindqvist).

  • 3Have you complied with the other data protection principles?

  • 4Is the transfer to a country outside the EEA?

  • 5Has there been a finding of adequacy by the EU Commission of the destination country?

The preferred approach1

The preferred approach

  • 6Is the transfer to a member of the US Safe Harbor scheme?

  • 7Can you assess adequacy in line with schedule 1, part 2, paragraph 13? (adequacy assessment)

  • 8Can you put in place adequate safeguards by the use of model contracts / BCR (for intra-group transfers)?

  • 9Do any of the schedule 4 derogations apply?

  • 10Have you recorded the basis on which you have made your decisions?

Derogations schedule 4

Derogations – Schedule 4

  • Eighth principle does not apply if a Schedule 4 condition applies.

  • Data subject consent

  • Contract with data subject

  • Contract in the interest of data subject

  • Substantial public interest

  • Personal data in public register

  • Legal proceedings/advice/rights

  • Vital interests of data subject

  • Adequate safeguards for rights and freedoms of data

  • subjects – terms approved by Commissioner (model clauses); authorised by Commissioner (BCR)

Adequacy assessment

Adequacy assessment

  • An adequate level of protection requires consideration of:

  • nature of personal data being transferred

  • origin and destination countries involved

  • purpose of processing and period of processing

  • nature of regimes (international obligations)

  • relevant codes of conduct

  • applicable laws in force which can apply to the processing

  • security of processing.

  • Note: the above considerations should be included in any risk analysis which is performed (link to seventh principle).

Adequacy assessment1

Adequacy assessment

  • When considering international obligations look at:

  • adoption of Council of Europe Convention No. 108?

  • adoption of OECD and UN Guidelines on Data Protection?

  • human rights considerations (due process if the police and other authorities want to interfere with private life; the rule of law)?

  • “Safe Harbor” in the USA or whether territory appears in the European Commission list of “approved states”?

  • the rule of law in general

Transfer to a data processor

Transfer to a data processor

  • Principle less of an issue if transfer is to a data processor.

  • Data controller subject to UK law

  • Data processor bound by contract to data controller

  • Risk analysis covers both 7th and 8th principles

  • Data processor cannot process personal data for own purposes

  • Problems with security (rather than transfer) can arise if the data processor is based in a country where the rule of law and respect for rights, as per a democratic state, are not established.

Transfer to a data controller

Transfer to a data controller

  • Issues arise when the transfer is to a data controller.

  • Transfer is a “processing” operation, so all the other principles apply

  • First principle – Schedule 2 grounds (and Schedule 3 if necessary)

  • First principle – fair processing requirements re disclosure

  • First principle – lawful processing re disclosure

  • Second principle – compatibility of disclosure with purpose(s) specified at the time of obtaining

  • Seventh principle – security of disclosure; disclosure authorised; risk assessment; disclosure procedures in place



  • ICO website

  • ICO data protection guide - principle 8

  • ICO's preferred approach to transfers

  • Outsourcing

  • BCR page

  • European Commission website: international transfers

  • Model clauses

  • 2004 controller to controller

  • 2001 controller to controller

  • 2010 controller to processor

  • Safe Harbor

Overview of the 8th principle

Keep in touch

Subscribe to our e-newsletter atwww.ico.gov.uk

or find us on…

  • www.twitter.com/iconews

Overview of the 8th principle


Cloud computingThe Buckingham Suite

Data SharingThe Grand Room



Subject access requests and information held in complaints filesPalace 7

Do all members of your organisation understand the importance of data management?Palace 6



Principle 8: Binding Corporate RulesPalace 1

Reporting breachesThe Oak Room



Using personal data for medical researchPalace 4

Section 40 Tribunal decisionsPalace 5


  • Login