Data Protection Guidance
Transferring personal data outside the European Economic Area
The either data protection principles specifies that personal data should not be transferred
outside of the EEA unless that country ‘ensures an adequate level of protection for the rights
and freedoms of data subjects in relation to the processing of personal data.’
The European Economic Area consists of the 25 EU Member States together with Iceland,
Liechtenstein and Norway. A list of countries that have been approved by the Information
Commissioner as having adequate levels of protections is available via the Information
Commissioners website.
Conditions when transfer may be undertaken
If data are to be transferred outside the EEA to a third party then contractual or other
guarantees should be in place to ensure that the rights of data subjects, for instance to object
to the use of their data for direct marketing purposes, are not diminished as a result of the
transfer and that the third party undertakes to hold the personal data securely.
Where personal data are to be placed on web sites (equivalent to allowing world-wide transfer
of data) then in many cases consent of data subjects should be obtained unless the
information to be posted on the web site would in any case be put in the public domain.
However, personal data may be transferred outside the EEA under the following conditions • Data subject has given consent - the data subject should be made aware of any risks
that have been assessed by the data controller as being involved in the transfer and
the data controller should be able to produce clear evidence of the data subject’s
consent and that the data subject was informed of the risks;
• The transfer is necessary:
- for the performance of a contract or for the taking of steps with a view to entering
into a contract;
- for the conclusion of a contract between the University and a person other than the
data subject which is entered into either at the request of the data subject or is in the
interest of the data subject; or for the performance of such contract;
- for reasons of substantial public interest;
- for any legal proceedings (including prospective legal proceedings);
- for obtaining legal advice;
- for establishing, exercising or defending legal rights;
- to protect the vital interests of the data subject (where ‘vital interest’ refers to
matters of life and death);
• The transfer is part of the personal data on a public register;
• The transfer is made on terms which are approved by the Commissioner as ensuring
adequate safeguards for the rights and freedoms of data subjects;
• The transfer has been authorised by the Commissioner as being made in such a
manner as to ensure adequate safeguards for the rights and freedoms of data
subjects.
The general adequacy test
The Data Protection Commissioner’s guidelines suggest that, as a matter of good practice,
data controllers transferring data to a third country should conduct ‘the general adequacy test’
as follows:
1. The nature of the personal data - if the personal data are already in the public domain
then the transfer of such data to a third country will have little consequence in terms of the
rights and freedoms of the data subject. Conversely, transfer of sensitive personal data to a
third country will have a much greater impact on such rights and freedoms of data subjects;
2. The country or territory from which the data originate - where the data have been
obtained in a third country the data subject may have different expectations as to the level of
protection that will be afforded to their data than they would had the data been obtained in the
EEA;
3. The country or territory of final destination of that personal data - i.e if data originate
in a third country, are transferred for processing in an EEA state and then returned to the
original third country then the level of protection afforded to those data may not need to
provide greater protection than a citizen of the country of origin would have expected;
4. The purposes for which and period during which the data are intended to be
processed - the longer the period of processing the more likely it will be that any deficiencies
in the legal protection will be exposed;
5. The law in force in the country or territory in question - i.e whether or not the third
country in question has in place any data protection rules at all and, if so, what they are and
whether they are effectively applied;
6. The international obligations of that country or territory - this refers to whether or not
a "Community finding" has been published by the European Commission in relation to a third
country. This finding will denote whether or not a third country provides an adequate level of
protection in relation to the transfer of any personal data. At present, there are no such
findings in force;
7. Any relevant codes of conduct or other rules which are enforceable in that country
or territory - the University should consider whether or not (or to what extent) and, if so, how
contractual terms could be used to secure adequacy, e.g requesting that the third country
adopts the University’s internal data protection policy/code of conduct which would provide a
framework for the third country for the way it processes personal data;
8. Any security measures taken in respect of the data in that country or territory - the
University may be able to ensure that the country or territory adopts the University’s
information security management practices such as storing personal data in locked filing
cabinets, password protecting documents on computers, or insisting that that country or
territory uses such technical measures such as encryption.
December 2008