International Transfers
Additional requirements apply where you are transferring personal data overseas and this is explored below.
The ICO has their own helpline: 03031231113
- The REC also offers members a range of model documents and guides on data protection as well as additional resources.
What impact does Brexit currently have on data protection? What does this mean for the UK?
Currently the GDPR allows the free flow of personal data between European Economic Area (“EEA”) countries and the UK. Having reached a deal with the EU, and as part of the Withdrawal Agreement, we have been granted a grace period of up to a maximum of 6 months, so that personal data can flow freely from the EEA to the UK. In this current period we are waiting and hoping for the European Commission to grant the UK its adequacy decision. If an adequacy decision is granted, it will continue to allow data to be transferred from the EEA to the UK freely once the grace period ends. We are hoping that an adequacy decision will be confirmed before 01 July 2021.
Whilst we wait for the European Commission to make a decision, the UK government have confirmed that they are (or will be):
1. Preserving EU GDPR standards in domestic law
2. Transitionally recognising all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue;
3. Preserving the effect of existing EU adequacy decisions on a transitional basis;
4. Recognising EU Standard Contractual Clauses (“SCCs”) in UK law and are giving ICO the power to issue new clauses (please see FAQ: As at 01 January 2021, what does my business need to do to be able to make an international transfer? for further information);
5. Recognising Binding Corporate Rules authorised before Brexit;
6. Maintaining the extraterritorial scope of the UK data protection framework; and
7. Obliging non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale.
In the event that an adequacy decision is not granted after the grace period ends for the free flow of data from the EEA to the UK, recruitment businesses that want to continue receiving personal data from clients in EEA countries, may wish to consider putting into place “appropriate safeguards” such as using the European Commission’s Standard Contractual Clauses (SCC's) which the ICO have adopted. In most cases, SCCs are likely to be the most suitable solution. The ICO has created an interactive tool that identifies the circumstances in which businesses could use the SCCs for transfers from the EEA to the UK. The SCCs can be found on the ICO website with model contracts for a controller to controller template as well as a controller to processor template.
Please note: that recruiters in the UK from now and onwards, are allowed to transfer personal data to clients in the EEA (or another adequate country) irrespective of the European's Commissions decision regarding the transfer of data from the EEA to the UK. This is because any countries which were covered by the European Commission's adequacy decision on or before 31 December 2020 have been accepted as "adequate" by the UK.
The information in this FAQ was correct at the time of writing, but recruitment businesses should remain vigilant for any further changes.
As at 01 January 2021, what does my business need to do to be able to make an international transfer?
The ICO have produced extensive guidance to International Transfers which discusses the various mechanisms businesses can rely on to transfer data outside of the UK and comply with the GDPR.
To recap, the UK officially left the EU on 31 January 2020 and we are no longer in the transiton period. Any transfer of personal data outside the UK to another country is likely to be deemed a restricted transfer. Any restricted transfers from the UK to other countries - including the EEA will fall under the UK's version of the GDPR - which is broadly the same as the EU GDPR rules. Under this regime, personal data can be transferred freely from the UK to EEA and other countries that were covered by the European Commission's adequacy decision on or before 31 December 2020. The Government plan on keeping this under review and will utilise its powers to make its own "adequacy regulations" for other third countries and international organisations going forward.
A list of the countries in the EEA that is currently covered by the UK's adequacy regulations can be found here. Countries outside of the EEA which are also covered by the UK's adequacy regulations can be accessed here. This means that these listed countries have been deemed to have a data protection regime that is equivalent to, or meets the minimum requirements of the UK GDPR.
As long as data controllers and processors comply with their obligations under the UK GDPR, data can be transferred outside of the UK.
In the event that the country that personal data will be transferred to, does not have an adequacy decision, additonal safeguards will need to be implemented whilst complying with the rest of the UK GDPR.
In summary the full list of options are:
1. A legally binding and enforceable instrument between public authorities/bodies
2. UK Binding corporate rules
3. Standard Contractual Clauses adopted by the European Commission – probably the most appropriate to use and the ICO have provided template contracts that businesses can download for free within their International Transfers guidance that would support compliance with the UK GDPR.
4. An approved code of conduct together with binding and enforceable commitments of the receiver outside of the EEA – not yet in use.
5. Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA – not yet in use.
6. Contractual clauses authorised by the ICO.
7. Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred and which have been authorised by the ICO.
If none of the above apply and there is no adequacy decision, you will have to consider whether the transfer is covered by an exception, as per article 49 of the GDPR, namely:
1. "Has the individual given explicit consent to the restricted transfer"?
2. "Do you have a contract with the individual? Is the restricted transfer necessary for you to perform that contract? Are you about to enter into a contract with the individual? Is the restricted transfer necessary for you take steps requested by the individual in order to enter into that contract?"
3. "Do you have (or are you entering into) a contract with an individual that benefits another individual whose data is being transferred? Is that transfer necessary for you to enter or perform that contract?"
4. "You need to make the transfer for important reasons of public interest."
5. "You need to make the transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim."
6. "You need to make the transfer to protect the vital interests of an individual. They must be physically or legally incapable of giving consent."
7. "You are making the transfer from a public register."
8. "You are making a one-off transfer and it is in your compelling legitimate interests."
Even if you are able to rely on a mechanism that would allow you to transfer internationally, you should still consider the general UK GDPR principles (such as security, transparency, accountability, data minimisation etc.) and take steps to keep the data secure.
For further information on transferring data outside the UK, adequacy decisions, appropriate safeguards and exemptions, please read the ‘International transfers’ section on the Information Commissioner’s office website.
If my data is kept on a server overseas, does this mean I make an international transfer?
The ICO’s International Transfers guidance explains that there would not be a restricted transfer if there is no intention that the data will be accessed or manipulated by a third party whilst outside of the UK.
It may be practical for recruiters to consider speaking to their IT providers to discuss moving servers inside the UK to avoid having to answer the question (i.e. can the personal data be accessed or manipulated?).
- “Personal data is transferred from a controller in the UK via a server in Australia. There is no intention that the personal data will be accessed or manipulated while it is in Australia. Therefore, there is no restricted transfer.
Recruitment businesses should already be aware of their data flows (i.e. where the personal data that they process is going). If the personal data can be accessed or manipulated by a third party, and it is not made clear in the privacy notice, then notwithstanding the potential breach of the international transfer provisions of the UK GDPR, there may be a breach of the right to be informed under UK GDPR in addition to potential confidentiality and/or data breach issues.
Recruiters should ensure that they are aware of how their data is kept secure whilst on a cloud and consider adequacy decisions or standard data protection clauses as the main options- see FAQ titled: ‘What impact does Brexit currently have on data protection’. However the use of cloud services, where there is no intention for the personal data to be accessed or manipulated outside the UK, still appears to be permissible moving forwards (unless, of course, the ICO’s stance shifts).
Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.