Personal data can be exposed to additional risk when that data is transferred outside the country of origin. The EU also makes the assumption that if information is transferred outside of a member state that the data is at an even great risk.
International transfers are not always overt. When considering if these transfers apply to your organisation ensure you consider the following:
- Systems and services not within your organisations physical locations
- Data storage facilities both hard copy paper and computerised records
- Software or systems not based on your own hardware (cloud services)
- Systems/storage/services provided by partners and suppliers that you work with
The EU has identified what it considers to be safe countries or jurisdictions. In addition to the 28 member states the following countries have agreements in place for data transfers:
- Andorra, Argetina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, United States
If personal data is being transferred to one of these countries it may be permissible.
Start by understanding what data you have and where you transfer it. Performing a simple data mapping exercise is a good first step.
If you do find that you are transferring data overseas a first step would be to understand and check the safeguards and security permissions put in place by the receiving party.
Further than this, it would be a good idea to seek specialist or legal advice. International transfers of personal data have many, many scenarios and generic advice could put your organisation at risk.
- GDPR Recitals: 60, 61, 101-115
- GDPR Articles 13, 14, 15, 30, 45, 46, 49