Overview of the 8th principle
1 / 12

Overview of the 8th principle - PowerPoint PPT Presentation

  • Updated On :

Overview of the 8th principle. Emma Butler Senior Policy Officer - international. #dpoc2012. What does it say? . Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection No transfer without adequacy

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Overview of the 8th principle' - brinda

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Overview of the 8th principle

Overview of the 8th principle

Emma Butler

Senior Policy Officer - international


What does it say
What does it say?

  • Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection

  • No transfer without adequacy

  • Determine adequacy (different ways)

  • Derogations – where the principle doesn’t apply

The preferred approach
The preferred approach

  • 1 Do you need to transfer personal data? Can the data be anonymised for example?

  • 2 Is there a transfer? (consider transit, s1(3) - information held as data after transfer, Lindqvist).

  • 3 Have you complied with the other data protection principles?

  • 4 Is the transfer to a country outside the EEA?

  • 5 Has there been a finding of adequacy by the EU Commission of the destination country?

The preferred approach1
The preferred approach

  • 6 Is the transfer to a member of the US Safe Harbor scheme?

  • 7 Can you assess adequacy in line with schedule 1, part 2, paragraph 13? (adequacy assessment)

  • 8 Can you put in place adequate safeguards by the use of model contracts / BCR (for intra-group transfers)?

  • 9 Do any of the schedule 4 derogations apply?

  • 10 Have you recorded the basis on which you have made your decisions?

Derogations schedule 4
Derogations – Schedule 4

  • Eighth principle does not apply if a Schedule 4 condition applies.

  • Data subject consent

  • Contract with data subject

  • Contract in the interest of data subject

  • Substantial public interest

  • Personal data in public register

  • Legal proceedings/advice/rights

  • Vital interests of data subject

  • Adequate safeguards for rights and freedoms of data

  • subjects – terms approved by Commissioner (model clauses); authorised by Commissioner (BCR)

Adequacy assessment
Adequacy assessment

  • An adequate level of protection requires consideration of:

  • nature of personal data being transferred

  • origin and destination countries involved

  • purpose of processing and period of processing

  • nature of regimes (international obligations)

  • relevant codes of conduct

  • applicable laws in force which can apply to the processing

  • security of processing.

  • Note: the above considerations should be included in any risk analysis which is performed (link to seventh principle).

Adequacy assessment1
Adequacy assessment

  • When considering international obligations look at:

  • adoption of Council of Europe Convention No. 108?

  • adoption of OECD and UN Guidelines on Data Protection?

  • human rights considerations (due process if the police and other authorities want to interfere with private life; the rule of law)?

  • “Safe Harbor” in the USA or whether territory appears in the European Commission list of “approved states”?

  • the rule of law in general

Transfer to a data processor
Transfer to a data processor

  • Principle less of an issue if transfer is to a data processor.

  • Data controller subject to UK law

  • Data processor bound by contract to data controller

  • Risk analysis covers both 7th and 8th principles

  • Data processor cannot process personal data for own purposes

  • Problems with security (rather than transfer) can arise if the data processor is based in a country where the rule of law and respect for rights, as per a democratic state, are not established.

Transfer to a data controller
Transfer to a data controller

  • Issues arise when the transfer is to a data controller.

  • Transfer is a “processing” operation, so all the other principles apply

  • First principle – Schedule 2 grounds (and Schedule 3 if necessary)

  • First principle – fair processing requirements re disclosure

  • First principle – lawful processing re disclosure

  • Second principle – compatibility of disclosure with purpose(s) specified at the time of obtaining

  • Seventh principle – security of disclosure; disclosure authorised; risk assessment; disclosure procedures in place


  • ICO website

  • ICO data protection guide - principle 8

  • ICO's preferred approach to transfers

  • Outsourcing

  • BCR page

  • European Commission website: international transfers

  • Model clauses

  • 2004 controller to controller

  • 2001 controller to controller

  • 2010 controller to processor

  • Safe Harbor

Overview of the 8th principle

Keep in touch

Subscribe to our e-newsletter atwww.ico.gov.uk

or find us on…

  • www.twitter.com/iconews

Overview of the 8th principle


Cloud computingThe Buckingham Suite

Data SharingThe Grand Room



Subject access requests and information held in complaints filesPalace 7

Do all members of your organisation understand the importance of data management?Palace 6



Principle 8: Binding Corporate RulesPalace 1

Reporting breachesThe Oak Room



Using personal data for medical researchPalace 4

Section 40 Tribunal decisionsPalace 5