16 Nov

Sending data overseas

The following article is by Javed Ali Legal Consultant, Hill Dickinson LLP for Travel Law Today 4th ed. which can be downloaded rom ABTA's Member zone and read here.

You can help make sure your business is GDPR-ready by attending one of ABTA's forthcoming seminars:
A Beginner’s Guide to Travel Law – 5 December (Manchester)
Essential Business Travel Law – 25 January (London)
Data Protection and Cyber Security in Travel – 1 February (London)
Travel Law Seminar – 22-23 May (London)

The GDPR comes into force in the UK and across the EU in May 2018. The regulations offer greater rights to data subjects and more reporting requirements for companies that transact with and collect data from EU customers and suppliers. Under GDPR there will be joint and several liability on both data controllers and data processors.

Where personal data moves across borders outside the UK and EU this may put at increased risk the ability of customers and other data subjects to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of their personal information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders.

Chapter V of the GDPR governs the transfer of personal data to third countries (non-EU countries). This says that any transfer of personal data to a third country, including the onward transfer of personal data from that third country to another third country, shall take place only if the conditions laid down in Chapter V are complied with by the controller and processor.

The Chapter V conditions are:

  1. A transfer of personal data to a third country may take place where the EU Commission has decided that the third country in question ensures an adequate level of protection. Such a transfer will not require any specific authorisation.
  2. The Commission will publish a list of the third countries which it has decided offer an adequate level of protection and those that, it decides, no longer offer that protection.
  3. The following countries outside of the EU currently have data protection laws that fully comply with the requirements of the EU and have passed laws which meet the principles of the GDPR: Norway, Liechtenstein, Iceland, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and USA.
  4. Where there is no adequacy decision in respect of a country, the controller or processor must ensure that there are adequate safeguards for the transfer of data.
  5. Adequate safeguards can include the use of standard data protection clauses adopted by the Commission or a supervisory authority and approved by the Commission.
  6. In the absence of an adequacy decision or appropriate safeguards a transfer of personal data to a third country shall only take place on limited conditions including:
    • Where the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an appropriate Commission decision and appropriate safeguards; or
    • Where the transfer is necessary for the performance of the contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request; or
    • Where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; d.Where the transfer is necessary for the establishment, exercise or defence of legal claims;
    • Where the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

Under Article 30 of the GDPR certain organisations that are data controllers are required to maintain a record of the processing activities that they carry out or which are under its responsibility. This record must include the categories of recipients to whom the personal data has been or will be disclosed, including where applicable recipients in third countries and the identification of those third countries and of any appropriate safeguards.

These obligations will not apply to an enterprise or organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

The Chapter V conditions are in addition to the general principles for processing data which require that personal data is processed fairly and in a transparent manner; is only processed for specific, explicit purposes; is adequate and not excessive; is not kept for longer than is necessary; and is subject to adequate security.

It is vital that you start to review your contracts in conjunction with your suppliers, including those suppliers that are based overseas, and ensure that you introduce adequate security measures so that your suppliers are fully committed to securing and safeguarding the data that you will be sharing with them. Where the supplier that you are dealing with is not in a country that has adequate levels of data protection you should implement measures to compensate for the lack of data protection by way of appropriate safeguards for your customers.

Such safeguards may consist of making use of binding corporate rules, standard data protection clauses or contractual clauses. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the UK or EU.