International Transfers of Personal Data

What is meant when we refer to the international transfer of personal data? Personal data is considered to be transferred internationally when:

  • It is physically transferred across a border; or
  • It is accessed across borders.

Which borders should we be concerned about for the international transfer of personal data? Transfers of personal data are not restricted within the EU. Transfers to other countries are prohibited unless such country provides “an adequate level of data protection” as determined by the European Commission or unless certain other conditions are fulfilled.

Which countries outside the EU are considered adequate? See: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

What are our options if the Country we are sharing data with are not on the EU approved list?  The University can use contractual safeguards:

  • Use of EU-approved Model Contracts between the Data Exporter and Data Importer
  • Binding Corporate Rules
  • Codes of Conduct and Certification – an external Controller or Processor may commit to a scheme approved at EU level.

If none of these options applies, you can transfer the personal data if:

-you have the individual’s explicit consent;

-the transfer is a necessary to enter into or perform a contract perform with the individual (e.g to provide a mandatory overseas placement);

-the transfer is a necessary to enter into or perform a contract perform with another person/organisation for the benefit the individual (e.g. when the University takes out local insurance for students on overseas field trips); or

-the transfer is necessary for legal proceedings/advice.

 

 

Please consult the University Data Protection Officer for more information.