Transferring Personal Data Outside of the EEA
TRENDING
PUBLISHED on
22
July
2022
SUMMARY
This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA. One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard contractual clauses (SCCs).
Article 28 mandates a number of requirements that must be placed on data processors, by data controllers, via a contract. The question is, are the SCCs sufficient to meet these requirements? Whilst the SCCs are pretty comprehensive, they were drafted before the GDPR came into effect and, as a result, not all of the requirements of Article 28 are addressed by the SCCs.
So, what can you do?
The challenge with the SCCs is that they must be used verbatim. Any change to the wording, even if it has no material effect on the interpretation, means that the parties cannot claim to be using the SCCs. However, it is permissible to add clauses or incorporate the SCCs in a broader contract, ’provided nothing in the other contract or additional clauses alters the effect of any of the model clauses’.
So, if you are outsourcing data processing to processors outside the EEA and transferring PII, then you should supplement, and not solely rely on, the SCCs. The specific gaps between Article 28 and the SCCs are, broadly speaking, that the SCCs (and Appendix where applicable) do not:
- Address the duration of processing
- Contain a requirement for the data importer to commit to confidentiality
- Contain a requirement to support the response to a data subject request
- Comply with the timing or cooperation requirements relating to a data breach
- Address the processor participating in a data protection impact assessment (DPIA)
- Address all audit requirements Address onward transfer of data outside of the EEA.
How URM can help?
Consultancy
Do you need assistance in improving your GDPR compliance position?
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, data retention schedules and training programmes etc.
Read more
Training
Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
Read more
Consultancy
Does your organisation fully comply with the General Data Protection Regulation (GDPR)?
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Read more
related BLog posts
Data Protection
Published on
25/7/2022
Data Transfer Risk AssessmentWe are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions.
Read more
Data Protection
Published on
3/4/2025
Privacy Policies Explained: Ensuring Transparency Under the GDPRURM’s blog explains the GDPR’s requirements for privacy policies, the common mistakes organisations make with these policies & how to avoid them.
Read more
Data Protection
Published on
25/7/2022
What is the GDPR?The GDPR (EU) 2016/679 is an EU regulation which came into effect on 25 May 2018 and set a new benchmark for the processing of personal data.
Read more
We were impressed with the implementation and management of the Abriska tool. The service we have received is of a high quality due to the Team’s attention to detail, proactiveness and implementation of enhancement requests from the dev side. The Board is also impressed with the tool and is looking to complete an organisation-wide implementation soon. We will definitely recommend other charity contacts to use the tool, as it is well priced and comes with excellent customer service.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.