introduction to international data transfers n.
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to international data transfers PowerPoint Presentation
Download Presentation
Introduction to international data transfers

Loading in 2 Seconds...

play fullscreen
1 / 21

Introduction to international data transfers - PowerPoint PPT Presentation

  • Uploaded on

Introduction to international data transfers. Jonathan Holbrook – Head of Data Protection Practice Geraldine Dersley – Solicitor (Head of Legal Profession). What does the DPA say about international transfers? Is there a recommended approach to complying with the law?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Introduction to international data transfers

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction to international data transfers

Introduction to international data transfers

Jonathan Holbrook – Head of Data Protection Practice

Geraldine Dersley – Solicitor (Head of Legal Profession)

What does the DPA say about international transfers?

Is there a recommended approach to complying with the law?

What about the machinery of international transfer compliance?

What does the future hold?

ico s role and authorising transfers
ICO’s role and authorising transfers
  • ICO provides general advice and guidance
  • ICO does not routinely authorise one-off arrangements
  • BCR authorisations
  • “The Guide to Data Protection” (Section B8)
  • “The 8th Data Protection Principle and international data transfers”
  • BCR – FAQ and detailed guidance documents
  • (
  • Model contracts
international transfers and the law
International transfers and the law
  • What does the Directive say?
  • Article 25(1) of Directive 95/46/EC:
  • “Transfers may only take place to a third country providing an adequate level of protection.”
international transfers and the law1
International transfers and the law
  • What does the DPA say?
  • 8th Data Protection Principle:
  • “Personal data shall not be transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
recommended approach initial considerations
Recommended approach – initial considerations
  • Do you need to transfer personal data?
  • Is there a transfer?
  • Does the 8th Principle apply?
  • Have you complied with the other principles?
transfer within eea
Transfer within EEA
  • There are no restrictions on transfers to EEA countries
  • These are currently:
  • Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark,
  • Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
  • Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg,
  • Malta, Netherlands, Norway, Poland, Portugal, Romania,
  • Slovakia, Slovenia, Spain, Sweden, United Kingdom
transfer outside the eea
Transfer outside the EEA
  • Has there been a finding of adequacy under Article 25(6) of
  • the Directive:
  • “The Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.”
  • Countries with findings of adequacy:
  • Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland,
  • Israel, Andorra
safe harbor
Safe Harbor
  • Is the transfer to a member of the US Safe Harbor?
  • US Department of Commerce website?
  • Voluntary mechanism for US organisations agreeing to:
    • 7 principles of information handling
    • be held responsible for keeping to those principles by the Federal Trade Commission or other oversight scheme
adequate level of protection
Adequate level of protection
  • In other cases, transfer can go ahead if data controller is
  • satisfied in the circumstances that there is adequate level of
  • protection. You can:-
  • Assess adequacy yourself
  • Use contracts including the European Commission approved model contractual clauses
  • Get your Binding Corporate Rules approved by the Information Commissioner
  • Rely on exceptions from the rule
assessing adequacy
Assessing adequacy
  • Data controllers required to ensure adequacy of protection in
  • all the circumstances of the transfer including:
  • Nature of personal data being transferred
  • Use of personal data and for how long
  • Laws and practices of the destination country
  • Extent to which the country has adopted DP standards
  • Whether you can ensure that the standards are achieved in practice
  • Whether there is effective procedure to enforce individual rights and obtain compensation
implementing adequate safeguards
Implementing adequate safeguards
  • Article 26(2) of the Directive
  • “Member States may authorise a transfer to a third country which does not ensure an adequate level of protection where the controller adduces adequate safeguards with respect to the protection of privacy; such safeguards may in particular result from appropriate contractual clauses.”
in layman s terms
In layman’s terms…
  • You have decided a transfer is taking place
  • The data are going to a third country not on the approved list and not covered by Safe Harbor
  • You have assessed that, in some areas, adequate protection does not exist
  • Article 26(2) is a basis for introducing safeguards that “fill the gaps”
model contracts
Model contracts
  • EC and ICO approved contractual clauses
  • Controller to controller; controller to processor
  • Contracts place obligations on “exporter” and “recipient”
  • No changes to model clauses
binding corporate rules
Binding Corporate Rules
  • Internal code of conduct for transfers within a multinational group but outside EEA
  • Approved by relevant European data protection authorities
  • Rights for individuals
  • Working Party documents: WP74, WP108, WP154
bcr application
BCR application
  • Applications must include:
  • Evidence that the rules are binding
  • Description of the processing and data flows
  • Safeguards
  • Mechanism for reporting and recording changes
  • Safeguards
other exceptions
Other exceptions
  • Article 26(1) of the Directive and Schedule 4 DPA
  • Good practice
  • ensure adequate protection if it is possible to do so and only rely on an exception if it is not
  • Rights of individuals will weigh heavily against the interests of the data controller
  • Consent
  • Contract performance
  • Substantial public interest
  • Legal proceedings, advice or rights
  • Vital interests
  • Public register
and finally
and finally…
  • Have you recorded the basis on which your decisions have been taken?
Subscribe to our e-newsletter
  • at
  • Follow us on Twitter
  • at