Sending personal data outside the European Economic Area (Principle 8)

In this section

This section provides practical advice to companies or other organisations who want to send personal data outside the European Economic Area (EEA).

In brief – what does the Data Protection Act say about sending personal data outside the EEA?

The Data Protection Act says that:

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad.

The Act also sets out the situations where the eighth principle does not apply, and these situations are also considered in more detail in this section.

In more detail...

Is it possible to fulfil my objectives and send information outside the UK without processing personal data?

Before making a transfer, you should consider whether you can achieve your aims without actually processing personal data. For example, if data is made anonymous so that it is not possible to identify individuals from it, now or at any point in the future, then the data protection principles will not apply and you are free to transfer the information outside the EEA.

What is a transfer?

A transfer involves sending personal data to someone in another country.

Example
A company in the UK uses a centralised human resources system in the United States belonging to its parent company to store information about its employees.

Example
A travel agent sends a customer’s details to a hotel in Australia where they will be staying while on holiday.

A transfer is not the same as the transit of information though a country. The eighth principle will only apply if the information moves to a country, rather than simply passing through it on route to its destination.

Example
Personal data is transferred from country “A” to country “B” via a server in country “C”, which does not access or manipulate the information while it is in country “C”. In these circumstances the transfer is only to country “B”.

You will be processing personal data in the UK and transferring it even if:

  • you collect information relating to individuals on paper, which is not ordered or structured in any way; and
  • you send this overseas with the intention that once it is there it will be processed using equipment operating automatically; or
  • it will be added it to a highly structured filing system relating to individuals.

Example
A large insurance broker sends a set of notes about individual customers to a company acting on their behalf in another country. These notes are handwritten and are not held on computer or as part of a relevant filing system in the UK. The notes are to be entered onto a computer in the other country and added to a customer management system.

Putting personal data on a website will often result in transfers to countries outside the EEA. The transfers will take place when someone outside the EEA accesses the website. If you load information onto a server based in the UK so that it can be accessed through a website, you should consider the likelihood that a transfer may take place and whether that would be fair for the individuals concerned. If you intend information on the website to be accessed outside the EEA, then this is a transfer.

Which countries are in the EEA?

There are no restrictions on the transfer of personal data to EEA countries. These are currently:

Austria
Belgium
Bulgaria
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany

Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta

 Netherlands
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden


Which countries have an adequate level of protection?

The European Commission has decided that certain countries have an adequate level of protection for personal data. Currently, the following countries are considered as having adequate protection.

Andorra
Argentina
Canada

Faroe Islands
Guernsey
Isle of Man

Israel
Jersey
Switzerland


View an up to date list of such countries, at the European Commission’s data protection website.

Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, they agree to:

  • follow seven principles of information handling; and
  • be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes.

Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website.

In July 2007, the EU and the US signed an agreement to legitimise and regulate the transfer of passenger name record information (PNR) from EU airlines to the US Department of Homeland Security (DHS). This agreement is regarded as providing adequate protection for the personal data in question.

If the data protection law in a country has not been approved as adequate, is it still possible to send personal data to that country?

Yes, if you are satisfied that in the particular circumstances there is an adequate level of protection. You can:

  • assess adequacy yourself;
  • use contracts, including the European Commission approved model contractual clauses;
  • get your Binding Corporate Rules approved by the Information Commissioner; or
  • rely on the exceptions from the rule.

How do I assess adequacy?

You will need to be satisfied that in the particular circumstances there is an adequate level of protection. For UK personal data the Act sets out the factors you should take into account to make this decision. These relate to:

  • the nature of the personal data being transferred;
  • how the data will be used and for how long; and
  • the laws and practices of the country you are transferring it to.

This means doing a risk assessment. You must decide whether there is enough protection for individuals, in all the circumstances of the transfer. This is known as an assessment of adequacy. To assess adequacy you should look at:

  • the extent to which the country has adopted data protection standards in its law;
  • whether there is a way to make sure the standards are achieved in practice; and
  • whether there is an effective procedure for individuals to enforce their rights or get compensation if things go wrong.

We realise it may be impractical for you to carry out a detailed analysis of adequacy involving the legal situation in a non-EEA country. This analysis might be more appropriate for a business that regularly transfers large volumes of personal data to a particular country, rather than a company that might only occasionally transfer personal data to any of a wide range of countries. For this reason, this Guide does not give detailed advice on how to carry out an adequacy test; this is provided in sections 2.3 to 2.6 of The eighth data protection principle and international data transfers.

In some cases you might reasonably decide there is adequacy without a detailed test. A common situation is where you transfer personal data to a processor acting on your instructions under contract. You are still legally responsible for making sure the data is processed in line with the principles. In particular, personal data can only be transferred if there is a contract requiring the processor to have appropriate security and act only on your instruction. So individuals’ information should continue to be protected to the same standard as in the UK and they will have the same rights they can exercise in the UK. This is because you remain liable for ensuring that the processing complies with the data protection principles. When selecting a processor, you need to satisfy yourself that it is reliable and has appropriate security.

However, the level of protection is unlikely to be adequate if:

  • the transfer is to a processor in an unstable country; and
  • the nature of the information means that it is at particular risk.

For more information see section 5 of The eighth data protection principle and international data transfers and the good practice note on Outsourcing - a guide for small and medium-sized businesses.

You may reasonably decide there is adequacy without a detailed analysis, depending on: the nature of the information; the circumstances of the transfer; your knowledge of the country; and the company you are transferring to. Some examples are discussed below.

Example
A university wishes to transfer the academic biographies of its lecturers and research staff to other universities and potential students outside the EEA. Nothing of a private nature is included. This is a well-known practice in the university. The personal data, such as the staff’s qualifications and publications, is already publicly available. Any member of staff can have their information withheld if they have a reason to do so – such as concerns about their safety. In this case, it is difficult to see a problem with adequacy as the potential for staff to object has been addressed and there is little further risk of misuse.

Example
Company A in the UK sends its customer list to company B outside the EEA so that company B, acting as a processor, can send a mailing to company A’s customers. It is likely that adequate protection exists if:

  • the information transferred is only names and addresses;
  • there is nothing particularly sensitive about company A’s line of business;
  • the names and addresses are for one-time use and must be returned or destroyed within a short timescale;
  • company A knows company B is reliable; and
  • there is a contract between them governing how the information will be used.

Example
An employee travels outside the EEA with a laptop containing personal data connected with their employment. Their employer in the UK is still the data controller. As long as the information stays with the employee on the laptop, and the employer has an effective procedure to deal with security and the other risks of using laptops (including the extra risks of international travel), it is reasonable to decide that adequate protection exists.

Example
A multinational company transfers a list of internal telephone extensions to its overseas subsidiaries. The nature of the information makes it unlikely that the individuals identified would suffer significant damage in the unlikely event that an unauthorised source obtained the list. It is reasonable to decide that adequate protection exists.

These examples show that you can, in particular circumstances, decide whether there is adequacy. You might limit the types of information you transfer and the types of organisation you transfer to, or insist that the destination company meet certain conditions by contract or otherwise.

How can you use contracts to ensure there is an adequate level of protection?

There are several types of contract that you can use to transfer personal data outside the EEA. The main types are:

  • contracts based on the standard contractual clauses approved by the European Commission (EC model clauses); and
  • other contracts you draw up yourself after a risk assessment to bring protection up to an adequate level.

EC model clauses

The European Commission has approved three sets of standard contractual clauses (known as model clauses) as providing an adequate level of protection. If you use these model clauses in their entirety in your contract, you will not have to make your own assessment of adequacy.

Two of the sets of model clauses relate to transferring personal data from one company to another company, which will then use it for its own purposes. In this case you can choose either set of clauses, depending on which suits your business arrangements better. The other set of model clauses is for transferring personal data to a processor acting under your instructions, such as a company that provides you with IT services or runs a call centre for you.

The model clauses are attached as an annex to the European Commission decisions of adequacy, which approve their use. The Information Commissioner has authorised the use of both sets of model contracts for transfers from controller to controller: the original 2001 clauses and the revised 2004 clauses. The Information Commissioner has also authorised the use of revised contractual clauses adopted in May 2010 for transfers from controller to processor, and in doing so withdraws his authorisation for the the original 2001 clauses for transfers from controller to processor. Contracts made under this authorisation and concluded before 15 May 2010 are still valid, however, the revised clauses should be used from 15 May 2010.

Links to the model contract clauses:

2004 controller to controller
2001 controller to controller
2010 controller to processor

If you are relying on the European Commission adequacy decisions you cannot change the clauses in any way, for example by removing parts or adding other clauses to change the meaning, but the clauses can be incorporated into other contracts. For more information, see section 3.2 of The eighth data protection principle and international data transfers.

Other contracts

You can also use your own contracts to help ensure adequacy for a particular transfer or set of transfers. You can use these contracts to plug gaps where you have decided that there would be adequacy, were it not for a particular weakness. For example, you may want to include a contract clause to require the company receiving the information to return it to you if your relationship comes to an end or they go out of business.

You do not have to have a separate contract for data protection. You can include the terms to achieve adequacy into any general contract that covers your relationship with the other company.

You can also use contracts where you are not in a position to judge adequacy. The contract should be comprehensive to enable you to satisfy yourself that adequacy exists, without you needing to analyse the circumstances of the transfer. This kind of contract is likely to be very similar to a standard contract using the EC model clauses, which you can use to develop your own terms.

If you use contract provisions that differ from the model clauses, you risk a future challenge to the adequacy of the contract’s level of protection. You must record your reasoning and decisions and be able to justify your actions if you are asked to. This is in line with our general approach to compliance with the Act. We are not able to give you detailed advice on or approve contracts other than in exceptional circumstances.

In what circumstances will the Information Commissioner approve transfers by an organisation?

The Information Commissioner has the power to authorise transfers of personal data on the basis that in the particular circumstances there is an adequate level of protection, but we will not routinely do this because you will be in a better position to decide if there is adequacy in the light of your knowledge of the safeguards and the processing taking place.

If we authorise a transfer, we must tell the European Commission and other data protection authorities in Europe.

We will not authorise one-off arrangements between you and companies in other countries unless there are exceptional circumstances. We would have to be satisfied that there was no other reasonable way for you to comply with the eighth principle, for example by applying any of the exemptions or by making your own assessment of adequacy.

What are “binding corporate rules”?

Another option is to adopt binding codes of corporate conduct, known as binding corporate rules or BCR. This option only applies to multinational organisations transferring information outside the EEA but within their group of companies. These rules create rights for individuals, which can be exercised before the courts or data protection authorities, and obligations for the company. In all cases, the rules are legally binding on the companies in the multinational group and will usually be made so by unilateral declarations, intra-group agreements or the corporate governance of the group. To use BCR to transfer personal data freely within your group of companies, they must be approved by all the relevant European data protection authorities who will co-operate with each other in assessing the standard of your rules.

You may use internal codes of conduct, similar to BCR, to transfer information from the UK without an authorisation where:

  • you have conducted a risk assessment; and
  • you are satisfied that the codes provide the level of safeguards required by the eighth principle.

Where you do not have an authorisation, you risk a future challenge to the adequacy of the contract’s level of protection. You must record your reasoning and decisions and be able to justify your actions if you are asked to. This is in line with our general approach to compliance with the Act.

For more information on BCR, see section 3.3 of The eighth data protection principle and international data transfers, and BCR page.

Are there any exceptions to the rule?

There are several exemptions from the eighth principle, where you can transfer personal data even if there is no adequate protection. However, it is good practice to ensure that there is adequate protection if it is possible to do so, and only to rely on an exemption if it is not. Nevertheless, the exemptions are legally available to you and may in some circumstances provide a simple solution that only results in a minimal loss of protection for the individual. You will find a detailed analysis of the exemptions in section 4 of The eighth data protection principle and international data transfers.

Consent

You can transfer personal data overseas if you have the individual’s consent, which should be given clearly and freely and may later be withdrawn by the individual. For further information, please read the section about consent.

A consent will not be valid if the individual has no choice but to give their consent.

Example
A company asks its employees to agree to the international transfer of their personal data. The penalty for not agreeing is dismissal, and so the company may not rely on any “consents” given by its employees in these circumstances.

The individual must know and have understood what they are agreeing to. You should specify the reasons for the transfer and, as far as possible, the countries involved. If you are aware of any particular risks involved in the transfer, you should tell the individual. In our view, consent is unlikely to provide an adequate long-term solution to repeated transfers or ones that arise from a structural reorganisation.

Contract performance

You can transfer personal data overseas where it is necessary for carrying out certain types of contract or if the transfer is necessary to set up the contract.

For a contract between the organisation and the individual, you may transfer personal data overseas if the transfer is:

  • necessary to carry out the contract; or
  • a necessary part of the steps the individual has asked you to take before a contract is made between you.

For a contract between the organisation and someone other than the individual, you may transfer personal data overseas if:

  • the individual requests the contract or it is in their interests; and
  • the transfer is necessary to conclude the contract; or
  • the transfer is necessary to carry out such a contract.

In this context, contracts are not restricted to goods and services – they can include employment contracts. Deciding whether a transfer is necessary to carry out a contract depends on the nature of the goods or services provided under the contract rather than how your business is organised.

A transfer is not necessary if the only reason you need to make it is because of the way you have chosen to structure your business. Read more about the conditions for processing.

Example
An individual books a hotel in the USA through a UK travel agent. The UK travel agent will need to transfer the booking details to the USA to fulfil its contract with the individual.

Example
The customer of a UK credit-card issuer uses their card in Japan. It may be necessary for the card issuer to transfer some personal data to Japan to validate the card and/or reimburse the seller.

Example
A UK-based internet trader sells furniture online. It makes it clear to customers that it is a retailer, not a manufacturer. Goods are delivered direct to the customer from the manufacturer. If a customer orders goods that are manufactured in the Ukraine, the trader needs to transfer a delivery name and address to the Ukraine to carry out the contract.

Substantial public interest

You can transfer personal data overseas where it is necessary for reasons of substantial public interest. This is a high threshold to meet and it is most likely to be relevant in areas such as preventing and detecting crime; national security; and collecting tax. Organisations intending to rely on this exemption should consider each case individually. The public interest must be that of the UK and not the third country to which the personal data is transferred.

Vital interests

You can transfer personal data overseas where it is necessary to protect the vital interests of the individual. This relates to matters of life and death.

Example
A local health authority could transfer relevant medical records from the UK to another country where an individual had had a heart attack and their medical history was necessary to decide appropriate treatment.

Public registers

You can transfer overseas part of the personal data on a public register, as long as the person you transfer to complies with any restrictions on access to or use of the information in the register.

Example
The General Medical Council (GMC) can transfer extracts from its register of medical practitioners to respond to enquiries from outside the UK, but it is not allowed to transfer the complete register under this exemption. If the GMC puts conditions on inspecting the register in the UK, the person the extract is transferred to, and anyone they then pass it on to, must comply with these restrictions.

Legal claims

You can transfer personal data overseas where it is necessary:

  • in connection with any legal proceedings (including future proceedings not yet underway);
  • to get legal advice; or
  • to establish, exercise or defend legal rights.

Example
A US parent company is sued by an employee of its UK subsidiary. Relevant employee information may be transferred to the US parent as it is required for the defence.

The legal proceedings do not have to involve you or the individual as a party and the legal rights do not have to be yours or the individual’s. Although this exemption could apply widely, transfers are only likely to fall under this category if they are connected with legal proceedings or getting legal advice.

Can I transfer personal data overseas if I get a request for it from the authorities outside the UK on the basis of the laws in their country?

No specific exemption routinely covers all such requests. However, in certain circumstances you will be able to send some personal data to the authorities or other parts of your own organisation in another country where the authorities in that country have requested it. How far you may do so will depend on the nature of the request. You will need to consider these cases carefully and can ask us for advice.

What other sources of information and advice are there?

There is a more complete analysis in The eighth data protection principle and international data transfers. The BCR page also has information about the standard contractual clauses and binding corporate rules.

Read all our FAQs