A data controller or data processor is responsible for implementing appropriate technical and operation measures to secure the data for which they are accountable. When these data are stored or processed in a third country (one that is outside the EU/EEA) an international data transfer occurs. The GDPR has specific requirements for international data transfers set out in Chapter V (Articles 44 - 50).

In this blog post, I will discuss when an international data transfer occurs, why it might occur in your company and the GDPR controls required to ensure that these transfers are legitimate.

A particular topical concern is the position of the UK, which on 1st January 2021 will become a third country requiring safeguards on data transfers from Ireland (and the rest of the EU).

When it occurs

The most obvious international data transfer is when data is sent to a data processor in another country. However, there are two additional conditions to consider.

While the data may remain in the home country the staff processing the data may be located in a third country. Data accessed from a third country is transferred to the third country and must be treated as an international transfer.

You also need to understand in-depth any other processing that the data may be subject to and whether such processing transfers the data to a third country. Examples of such processing may include data backups or logs that are consolidated in a server located elsewhere.

Why you might be making transfers

Modern businesses of all sizes use software tools to support, and sometimes enable, business processes. The software as a service (SaaS) model helps smaller companies avail of the benefits of powerful software without investing in the hardware and IT services required to host the software. Cloud hosting services provide a similar benefit to software companies, allowing them to make their products available without having to invest in the physical hardware, services, and support personal required to operate the compute, network, and storage platforms. Frequently the software offered to a small business as a service relies upon cloud computing.

Once the data is not stored in your data centre you need to know where the data is stored (in the EU or not) and where the people processing the data are located (in the EU or not). You need to understand this for all software that is hosted by a service provider. For any that is not located in the EU (either storage or processing staff) an international transfer applies.

Online software is used widely across all functions in a business and includes the company website and Customer Relationship Management tools used by sales and marketing, Enterprise Resource Management software and case management software used by operations, email and conferencing services used by Administration, staff records managed by Human Resources, Helpdesk and version control software used by IT, accounts and invoicing software used by Accounts, and Risk Management and Board Records tools used by boards and senior management.

Required controls

An international transfer can be made on the basis of an adequacy decision by the EU Commission. Adequacy decisions are made by the EU Commission following an evaluation and assert that an adequate level of protection for personal data is provided by the subject of the decision.

For countries that do not have an adequacy decision, you must put appropriate safeguards in place before transferring the data. Appropriate safeguards must be documented and enforceable between the parties. To establish these safeguards you may leveraged commission or supervisory authority approved instruments such as Standard Contractual Clauses or Codes of Conduct. Adopting these instruments may require the documentation of additional technical and operational measures implemented to ensure the security of the data.

International transfers within a group may be controlled by Binding Corporate Rules. Binding Corporate Rules must be approved by a supervisory authority.

Derogations may be sought for an individual or group of transfers. However, this is an approach of last resort. It is not a suitable strategy for ongoing transfers.