Chapter 6 : Are you sure you know which countries keep data safe?

Not only do you have to make sure that every organisation that you share personal data with is safe, you also have to take extra care if that organisation is abroad.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

March 2019

GDPR Definition

You can only transfer personal information to another country if that is done safely.  Countries are safe if the law says they are safe, or if the European Commission has declared them to be safe.

The law deems that the countries of the European Economic Area are safe. That means that the twenty seven countries of the European Union plus Iceland, Liechtenstein and Norway (and the UK during the transition period) are all ‘safe’ countries to send personal data.

In addition, the European Commission has issued what are called ‘adequacy decisions’ in respect of the following countries meaning they are ‘safe’ countries to send data to as well.  Those countries are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

What about the USA?

Lots of organisations in the EU need to share personal data with organisations in the USA in order to carry on doing business the way they want.  For example, many cloud hosting platforms are based in the US as well as social media companies and SAAS platforms.

Organisations in the USA used to be deemed ‘safe’ to share data with if they were signed up to the Privacy Shield Framework. However, a court decision in July 2020 has deemed the Privacy Shield Framework is not safe enough for the personal information of EU citizens and, therefore, the USA is now deemed an unsafe location to send personal information (but carry on reading).

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Safe organisations in unsafe countries

In ‘unsafe’ countries, contractual wording needs to be put in place which may include what are called standard contractual clauses otherwise known as model clauses, or binding corporate rules.

What getting this wrong means for dealmaking

If you are an organisation in the EU wanting to do a deal involving personal data with an organisation outside of the EEA then you need to make sure that the organisation you are dealing with is ‘safe’.  Likewise, if you are an organisation outside the EU that wants to do a deal inside the EEA which involves some personal data, then you won’t be able to do the deal unless you get your GDPR compliance sorted out.

At The Privacy Compliance Hub we can help you sort out you GDPR compliance simply and easily with one platform which enables you to build and maintain a comprehensive data protection compliance programme.

This article is part of an eight part series.  Feel free to check out the others:

GDPR : Are you sure you’re fine?

  1. Are you sure your staff know why the GDPR is important to the success of your organisation?
  2. Are you sure you know what you do with people’s data?
  3. Are you sure you tell people what you do with their data?
  4. Are you sure you trust organisations that you are sharing data with?
  5. Are you sure that nobody will complain?
  6. Are you sure you’re secure?
  7. Are you sure you know which countries keep data safe?
  8. Are you sure you build products and services with privacy in mind?

More to watch and read