Blog Post

General Data Protection Regulation 2018 (4) – Data Transfer outside the EEA

  • By MICHAEL HANSON
  • 19 Mar, 2018

YOUR COMPLIANCE MATTERS – General Data Protection Regulation 2018 (4) – Data Transfer outside the EEA

Relevance:                   All firms.

Action required:           Review whether any client data is currently sent outside the EEA and identify whether the territory provides compliant protection.

 

As noted, in our previous newsletters, the General Data Protection Regulation (GDPR) is effective from 25 May 2018.

A recent query prompted us to remind all clients of the current requirements (which are carried in to the GDPR). Please be aware that the rules cover data held in the Cloud as well as data sent directly outside the EEA.

You must not transfer client data outside the EEA unless the territory concerned has been assessed and approved by the European Commission (unless you are technically capable of carrying out a credible assessment of your own!).

A list of EEA territories and those approved, is listed below. Please note that the list does not include the US.

You can only be certain of your legal position, allowing you to transfer data to the US, if the recipient has joined the Privacy Shield arrangement (which provides greater protection to individuals and has been signed off by the European Commission). Please see https://ico.org.uk/media/for-organisations/documents/2014413/data-transfers-to-the-us-and-privacy-shield.pdf

This provides access to a list of organisations that have signed up (including Microsoft). The list can be found at https://www.privacyshield.gov/list

Action required

We suspect that Cloud computing service providers have already identified, and addressed, any issues arising from the rules but, if you are unsure where data is held, or you have reason to believe it may not be protected properly, it is your responsibility to address the issue.

 

Which countries are in the EEA?

Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France

Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg

Malta
Netherlands
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
United Kingdom

 

 

 

Which countries have an adequate level of protection?

The European Commission has decided that certain countries have an adequate level of protection for personal data. Currently, the following countries are considered as having adequate protection.

Andorra
Argentina
Faroe Islands

Guernsey
Isle of Man
Israel
Jersey

New Zealand
Switzerland
Uruguay

 

 

Share by: