Transfer of Personal Data
Background: The GDPR
Your business or non-profit organisation probably holds “personal data” about customers, suppliers, contractors, paid or unpaid staff, interns, volunteers, or others. Almost every business probably does so. If so, any “processing” of that data by or on behalf of a “data controller” (i.e. by you or on your behalf) may only be carried out as permitted by the Data Protection Act 1998 (“Act”) and the EU General Data Protection Regulation (“GDPR”).
The GDPR will be effective in May 2018 and is directly applicable in the UK. The GDPR contains a number of changes to existing EU law to strengthen and unify data protection for all individuals within the European Union. It requires organisations to implement data protection (or privacy) “by design and by default”. That is already a good practice requirement, but it will now be a legal obligation by virtue of the GDPR.
The GDPR necessitates UK law being amended to bring it up to date and in line with the GDPR. The current Act will be replaced by a new Data Protection Act to ensure that UK data protection law is consistent with the GDPR after the UK’s departure from the EU. A new Data Protection Bill is making its way through Parliament but it is too early to know what the final version will contain. We will update this information page once the new Act is in its final form. However, since the new Act has to be consistent with the GDPR then, for the purposes of this information page, the position under the new Act will in effect be the same as under the GDPR as outlined below.
The GDPR effects changes in various areas. For example, in cases where it is necessary to obtain the consent of a person in order to process his personal data, the GDPR imposes more demanding requirements as to what constitutes “consent”, and when a person withdraws an existing consent, the organisation holding their data must permanently erase it and not just delete it from a mailing list: the GDPR gives individuals the right to be forgotten.
For any business which processes personal data, it is important to be on top of what the GDPR requires, and to adopt systems and practices which ensure compliance with it.
Following the coming into effect of the GDPR and consequential passing of a new Data Protection Act, there are unlikely to be substantial further changes for some time to the legal position on data transfer within the UK or abroad, but we will review this information page accordingly.
Transfer of personal data from the UK to a data processor who is either in the UK or is in any other EU or non-EU country: Introduction
In the course of running your business you might need to transfer personal data that you hold to a location within/outside the UK, either to someone either in the UK, EU, or EEA or to a country outside the UK, EU, or EEA, so that they can carry out processing of that data for you. (The person/organisation carrying out the processing for you is the “data processor”.)
For example, you might engage a data processor to receive or access customer data from you so that the data processor can use the data to provide you with certain stated services or facilities that you use to run your business, e.g. IT or administrative services. The arrangement would make clear that the data processor may not make any other use of the data or disclose it to any third party. This would be a typical situation but there will be many other situations where an organisation might legitimately wish to transfer personal data to another organisation.
The Act and the GDPR apply to such transfers
Such transfers will be governed by the GDPR and, subsequently, the new Data Protection Act instead of the current Act. Their provisions impose particular restrictions and requirements on the transfer of data, as outlined below. The requirements have to be met by a data controller if it is to transfer data lawfully (see “Consequences of breach of the law” below). Those requirements relate to the need to protect the individuals whose personal data is to be transferred. The requirements are different, depending on whether the transfer is from the UK to someone in the UK, EU, or EEA, or from the UK to someone outside the UK, EU, or EEA.
Data transfer within the UK, European Union, or European Economic Area
Where a data controller in the UK arranges for a data processor within the UK, EU, or EEA to process personal data which the data controller holds, Schedule 1 to the current Act and the GDPR require there to be a written contract under which the data processor agrees to act only on instructions from the data controller and is required by the data controller to comply with obligations equivalent to those imposed on a data controller by the Seventh Data Protection Principle under the current Act. That Principle states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The GDPR also states that the contract must contain details of the processing to be carried out, details of the data processor’s obligations, and certain other details. Once the GDPR comes into force, any particular contract or form of contract used by a data controller must contain all the GDPR requirements for such a contract.
Neither the Information Commissioner (“ICO”) nor the EU Commission provide or recognise any standard clauses for the purpose of such a contract, although they may do so in future.
Our template document Data Processing Agreement - Personal Data Security (UK/EEA) is designed to deal with the specific situation of a data controller within the UK engaging a data processor within the UK, EU, or EEA to hold/process personal data for the data controller. It meets the Schedule 1 requirements and the GDPR’s requirements for such a contract (and, it is expected, the new Act’s requirements).
Further legal developments might at some point alter the above position in relation to transfer of personal data within the UK, EU, or EEA but it is unlikely for the foreseeable future. The new Act is unlikely to alter that position. However, if the position does change, we will amend our template (and this information page) as necessary.
Data Transfer Outside the EU
The Eighth Data Protection Principle under the current Act prohibits you as a data controller from transferring personal data outside the EU or EEA unless the destination country provides an adequate level of protection for the rights and freedoms of the individuals concerned. There are a number of alternative ways of ensuring such protection under the current Act and the EU Directive, as follows. These are alternatives, and your situation needs to fall only within one of them in order for you to be compliant. However, the “model terms” option (described below) is usually going to be the most likely option to provide a practical solution due either to the relative difficulty in trying to use one of the other options or to the non-availability of one of the other options.
1. Recognised destination
If the destination country is one of those recognised for the purpose by the EU Commission, that in itself will satisfy the test of “adequate level of protection”. The Commission’s website lists the countries which it recognises. The transfer of data from the UK to the USA is complicated since the USA is not listed as “recognised” but the current position in brief is that a transfer will be permitted if the USA recipient (“data importer”) has self-certified compliance with the Privacy Shield framework.
This “recognised destination” option will continue under the GDPR (and the new Act).
2. Adequate level of protection
If the destination country is not “recognised”, then the requirements of the Eighth Data Protection Principle may be met if the data controller concludes that there is an adequate level of protection in all the circumstances for the person who is the subject of the data, having regard in particular to certain “adequacy criteria”. Those criteria are set out in the Act. It may not always be easy to apply the adequacy criteria, given that data controllers are legally bound to apply them and to carry out a proper analysis in a way that clearly ensures compliance, and so this method of providing an “adequate level of protection” is of very limited use.
We have not set out here the criteria under the 1998 Act since this “self-assessment” regime is different and more restrictive under the GDPR (and under the new Act). As of May 2018, “self-assessment” will be acceptable under the GDPR only if the transfer is not to be repetitive, if it only concerns a limited number of data subjects, if it is necessary for the purposes of compelling legitimate interests pursued by the data controller not overridden by the interests or rights and freedoms of the data subject, and only if the data controller has assessed all the circumstances, provided suitable safeguards, and informed the ICO of the transfer.
All in all, it is very difficult for most to make proper use of this method.
3. An exemption
A number of exemptions from application of the Eighth Data Protection Principle are set out in Schedule 4 of the Act. If any of them apply, there will be no need to consider whether there is an “adequate level of protection”. With a few minor changes, the exemptions, as follows, will remain under GDPR (and, it is expected, the new Act):
(a) You may rely on any of the following exempt cases, if one of them indeed actually applies. Whether it does will depend on all of the circumstances. You will need your own individual guidance based on your own circumstances. An exemption will apply if the transfer is necessary:
(i) to perform a contract with the data subject, or to take steps at their request with a view to entering into a contract with them (including employment contracts); or
(ii) for the conclusion of a contract between the data controller and a third party that is entered into at the request of the data subject; or
(iii) in the interests of the data subject, or for the performance of such a contract; or
(iv) in the substantial public interest of the UK (such as crime prevention or detection); or
(v) for the purpose of, or in connection with:
- any legal proceedings; or
- obtaining legal advice; or
- otherwise for establishing, exercising, or defending legal rights; or
(vi) to protect the vital interests of the data subject (that is, a life-or-death situation); or
(b) The transfer is made on terms which are of a kind approved by the ICO, or has been authorised by the ICO as being made in such a manner, as ensures adequate safeguards for the rights and freedoms of data subjects; or
(c) The data subject has consented to the transfer. However, it is not easy to achieve consent for this purpose, and the GDPR imposes tighter requirements than the current Act does on “consent”. It has to be given clearly and freely (data subjects must take affirmative action to provide their consent such as signing a form or ticking a box), it has to be specific to the purpose and informed (“catch-all” consents will likely be invalid), and it must be easy for the data subject to withdraw the consent.
4. Agreement on “model terms”
In view of the uncertainties and difficulties surrounding use of any of the various means outlined above of complying with the requirement to ensure an adequate level of protection, it will often be easier and preferable to make use of the following means instead.
Compliance will be achieved by a data controller and data processor signing an agreement governing the transfer of data on the model terms issued by the EU Commission for the purpose. Such an agreement is deemed to provide a “safe harbour” for data controllers transferring personal data outside EU or EEA.
EU Directive 95/46/EC authorised EU member states to allow transfer of data by a data controller to a data processor if those two entities enter into an agreement on model terms published for the purpose by the EU Commission. By means of a Commission Decision of 2010, the Commission published model terms, and the UK then authorised their use in 2010.
Our template document Data Processing Export Agreement - Personal Data Security (Non-EU) contains the model terms and it may be used as a basis for transferring personal data outside the EU to a data processor who is to hold/process that personal data for the data controller.
The GDPR (which supersedes the EU Directive and the Data Protection Act 1998) and the new Act will not substantially alter the previous model terms regime. Therefore, our template may be used despite the GDPR and the new Act coming into effect. It is possible that the model terms will be amended in the foreseeable future, and if they are, we will amend our template to take account of those changes.
Consequences of Breach of the Law
Under the current Act, the maximum fine the ICO can levy against a data controller that has breached the legislation is £500,000.
Under the GDPR, the ICO can impose fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors. Infringement of requirements regarding international transfers of personal data could attract such fines.
Not only might there be fines, but in addition individuals will have the right to claim compensation for any damage suffered.