Not only do you have to make sure that every organisation t you share personal data with is safe (see our previous blog post on this topic), you also have to take extra care if that organisation is abroad.
You can only transfer personal information to another country if that is done safely. Countries are safe if the law says they are safe, or if the European Commission has declared them to be safe.
The law deems that the countries of the European Economic Area are safe. That means that the twenty eight countries of the European Union plus Iceland, Liechtenstein and Norway are all ‘safe’ countries to send personal data.
In addition, the European Commission has issued what are called ‘adequacy decisions’ in respect of the following countries meaning they are ‘safe’ countries to send data to as well. Those countries are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
What about the USA?
Lots of organisations in the EU need to share personal data with organisations in the USA in order to carry on doing business the way they want. For example, many cloud hosting platforms are based in the US as well as social media companies and SAAS platforms.
While the USA is not deemed a ‘safe’ country to send the personal data of EU individuals, if the organisation in the USA with which you want to share data is signed up to the Privacy Shield Framework, then that organisation is deemed ‘safe’ and you can send personal data to that organisation (subject to ensuring that you have the necessary agreement in place).
Safe organisations in unsafe countries
The Privacy Shield Framework is one way that organisations can be ‘safe’, even in ‘unsafe’ countries, but this only works for US organisations and not all US organisations can take advantage of it.
In other ‘unsafe’ countries, or for US organisations that can’t make use of The Privacy Shield Framework, contractual wording needs to be put in place which may include what are called standard contractual clauses otherwise known as model clauses, or binding corporate rules.
What getting this wrong means for dealmaking
If you are an organisation in the EU wanting to do a deal involving personal data with an organisation outside of the EEA then you need to make sure that the organisation you are dealing with is ‘safe’. Likewise, if you are an organisation outside the EU that wants to do a deal inside the EEA which involves some personal data, then you won’t be able to do the deal unless you get your GDPR compliance sorted out.
At The Privacy Compliance Hub we can help you sort out you GDPR compliance simply and easily with one platform which enables you to build and maintain a comprehensive data protection compliance programme.
This article is part of an eight part series. Feel free to check out the others:
GDPR : Are you sure you’re fine?
- Are you sure your staff know why the GDPR is important to the success of your organisation?
- Are you sure you know what you do with people’s data?
- Are you sure you tell people what you do with their data?
- Are you sure you trust organisations that you are sharing data with?
- Are you sure that nobody will complain?
- Are you sure you’re secure?
- Are you sure you know which countries keep data safe?
- Are you sure you build products and services with privacy in mind?