International Data Transfers – technical update (July 2021)

Because data harms do not just occur in the Bailiwick, personal data transferred outside the Bailiwick must be protected. Depending on where data is going, there are various means of achieving this protection – outlined below.
Where transfers occur to any jurisdiction (other than an EU or EEA Member States), sections 12 and 13 of the Law require that reference is made to the transfer in a controller’s data processing notice (often known as a privacy notice) and the mechanism relied upon for safeguarding the transfer. 

Transfers to EU and EEA jurisdictions
EU and EEA Member States (listed below) are considered authorised justifications to which personal data can be transferred without additional safeguards.  

Austria    
Belgium    
Bulgaria    
Croatia
Cyprus    
Czech Republic    
Denmark    
Estonia
Finland    
France    
Germany    
Greece
Hungary    
Ireland  
Italy    
Latvia
Lithuania    
Luxembourg    
Malta    
Netherlands
Poland    
Portugal    
Romania    
Slovakia
Slovenia    
Spain  
Sweden            
Iceland    
Liechtenstein    
Norway    

Adequacy
Jurisdictions outside of the EEA can apply to have their data protection legislation designated as 'adequate' by the European Commission (the Commission). This adequacy designation is recognised in the Law and such transfers are considered to be authorised.

As at July 2021, the Commission deems the following countries and territories as adequate:
 
  • Andorra
  • Argentina
  • Guernsey
  • Isle of Man
  • Israel
  • Jersey
  • New Zealand
  • Switzerland 
  • United Kingdom
  • Uruguay
The Commission has made partial findings of adequacy about Canada, the Faroe Islands and Japan.

•    The adequacy finding for Canada only covers commercial organisations.
•    The adequacy finding for Faroe Islands only covers private sector organisations.
•    The adequacy finding for Japan only covers private sector organisations.

Please visit: European Commission for up-to-date information on adequacy decisions

Binding Corporate Rules (section 56(2)(b))
Binding Corporate Rules (BCRs) are an internal code of conduct operating within a multinational group, which applies to restricted transfers of personal data from the group's Bailiwick and EEA entities to non-Bailiwick and non-EEA group entities. This may be a corporate group or a group of undertakings or enterprises engaged in a joint economic activity, such as franchises or joint ventures.

BCRs must be approved by a competent supervisory authority before they can be relied upon for transfers. The ODPA recognises BCRs approved by EEA data protection authorities and is empowered to approve BCRs submitted by local controllers. Schedule 4 of the Law outlines what needs to be covered in a set of BCRs submitted to the Authority for approval. 

It is advisable to refer to the European Data Protection Board’s guidance in relation to supplementary measures to accompany international transfer tools, as this will assist with the assessment of the jurisdiction’s legal redress mechanisms.

Standard Data Protection Clauses (section 56(2)(c))
Also known as ‘standard contractual clauses’ (SCCs) or ‘model clauses’, standard data protection clauses contain contractual obligations on the data exporter (based in the Bailiwick) and the data importer (based outside the Bailiwick and the EEA) and rights for the individuals whose personal data is to be transferred. These clauses are approved by the European Commission, available on their website, and recognised by the ODPA for transfer purposes.  

As a result of a case in the European Court of Justice in 2020, it is now necessary to ensure that the individuals whose data is transferred will be afforded legal redress in the jurisdiction of the data importer if their rights or freedoms are infringed. Controllers need to assess whether this is achievable and not enter into such an arrangement where such redress is not available.  

A new set of SCCs have been approved by the European Commission under the auspices of the GDPR and taking on board the CJEU’s “Schrems II” judgment that an assessment of legal redress is needed and should be used for any new contracts between data exporters and data importers. The new SCCs have a transitional period - European controllers and processors must stop using the pre-GDPR SCCs in new contracts by 27 September 2021 and all existing contracts relying on the pre-GDPR SCCs must be transitioned to the new SCCs by 27 December 2022.  

It is advisable to refer to the European Data Protection Board’s guidance in relation to supplementary measures to accompany international transfer tools, as this will assist with the assessment of the jurisdiction’s legal redress mechanisms.

For more information please see our more detailed technical update on SCCs here

Approved Code of Conduct (section 56(2)(d))
Codes of conduct can be drafted by industry bodies or other parties external to data protection supervisory authorities and used to respond to a particular compliance requirement, in this case international transfers. The code should be combined with binding and enforceable commitments to apply the relevant safeguards and include both a means of responding to data subject rights requests and providing suitable legal redress.

Codes can be approved by the Authority or by another competent supervisory authority. 

Approved Mechanism (section 56(2)(e))
Approved certification mechanisms can be used to respond to a particular compliance requirement, in this case international transfers. The certification mechanism, operated by a competent body accredited by a data protection supervisory authority, should be combined with binding and enforceable commitments to apply the relevant safeguards and include both a means of responding to data subject rights requests and providing suitable legal redress.

Authorisation by the Data Protection Authority (section 57)
It is possible for the Authority to approve bespoke contractual clauses for use in specific situations, outside of those authorised under section 56(2)(c). Such clauses would need to provide appropriate safeguards for the personal data and the level of legal redress available in the jurisdiction to which data is being transfers would need to be taken into account.

It is advisable to refer to the European Data Protection Board’s guidance in relation to supplementary measures to accompany international transfer tools, as this will assist with the assessment of the jurisdiction’s legal redress mechanisms.

Other Authorised Transfers (section 59)
In exceptional circumstances, it is possible to make a transfer on one of the legal bases found in section 59(1) of the Law (which, for ease of reference, is outlined below). These legal bases must not be relied upon for regular transfers and the decision making around the transfer should be documented.

A controller or processor can transfer personal data to an unauthorised jurisdiction where -

(a)    required to do so by an order or a judgment of a court or tribunal having the force of law in the Bailiwick, 

(b)    required to do so by a decision of a public authority of the Bailiwick based on an international agreement imposing an international obligation on the Bailiwick, 

(c)    required to do so by – 
(i)     an order or a judgment of a court or tribunal of a country other than the Bailiwick, or 
(ii)     a decision of a public authority of any country other than the Bailiwick, having the force of law in the Bailiwick, and based on an international agreement imposing an international obligation on the Bailiwick, 

(d)    the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision in respect of the unauthorised jurisdiction, 

(e)    the transfer is necessary – 
(i)     for the conclusion or performance of a contract – 
(A) to which the data subject is a party, or 
(B) made between the controller and a third party in the interest of the data subject, 
or 
(ii)     to take steps at the request of the data subject prior to entering into such a contract, 

(f)    the transfer is necessary – 
(i)     for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), 
(ii)     for the purpose of obtaining legal advice, or 
(iii)     otherwise for the purposes of establishing, exercising or defending legal rights, 

(g)    the transfer is necessary to protect the vital interests of the data subject or of another individual, and- 
(i)     the data subject is physically or legally incapable of giving consent, or 
(ii)    the controller cannot reasonably be expected to obtain the explicit consent of the data subject, 

(h)    the personal data transferred is personal data in a public register, 

(i)    the transfer is made from a register to which any member of the public has access who satisfies conditions specified by law for such access, where the transfer is made to or at the request of a person who satisfies those conditions, 

(j)    the transfer in question satisfies the following conditions– 
(i)     the transfer is not repetitive, 
(ii)     the transfer concerns only a limited number of data subjects, 
(iii)     the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller that outweighs the significant interests of the data subject, and 
(iv)     the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided appropriate safeguards for the protection of personal data, 

or 

(k)    authorised to do so by regulations made for reasons of public interest.