What is a Transfer under GDPR?

We'll set it out and identify 5 Key Facts

So, what is a transfer under GDPR?  Well, we’ll answer that – and deal with Brexit – and set out the 5 Key Facts you need to know about ‘What is a transfer?’

And you can watch our FREE video: ‘What is a Transfer under GDPR?  5 Key Facts’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

What is a transfer under GDPR?

Well, like so many things, it isn’t explicitly defined, but it is implicitly – and circuitously – defined all the way through.

We’ll focus on the EU GDPR to start with as the rules are identical in the UK GDPR and we’ll deal with Brexit at the end, so stick with us.

Now, Recital 101 – believe it or not! – of GDPR defines transfer as well as anywhere else and tells us clearly why it matters. It says:

‘when personal data are transferred from the EU to controllers, processors and other recipients in third countries, or to international organisations, the level of protection of natural persons ensured by the GDPR should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors, other recipients in the same or another third country or international organisation.’

So, the first transfer and the second, et cetera.

We can immediately see that the whole idea of transfers is to make sure that personal data stays protected when it’s transferred outside the EU GDPR’s jurisdiction to either a third country or an international organisation, whether once, twice or more.

It makes sense when you think about it – you shouldn’t be able to just avoid GDPR’s rules and obligations just by exporting data outside the EEA for example.

So what is a ‘third country‘?

Third countries

Well, this is pretty easy!  The EU GDPR applies in the EU, that’s been extended to the EEA, and we’ve seen that the transfer system is designed to protect personal data when it leaves the GDPR’s direct protection.

So a third country is simply any country other than a Member State of the EEA – the European Economic Area.

Okay, what’s an international organisation or IO?

International organisations

Well, happily, this is defined!  And, as our first key point on transfers, this is definitely not as you’d expect.

An international organisation or IO for GDPR is most definitely not a typical multi-national corporation – it’s not Ford, Toyota or anyone like this.

It’s defined as:

‘an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries’.

Now, examples are always great and the European Data Protection Supervisor gives us these excellent examples of what IOs are:

  • There’s the Council of Europe.
  • There’s the International Committee of the Red Cross.
  • INTERPOL,
  • the UN itself,
  • the UNHCR,
  • the European Space Agency,
  • CERN and
  • WIPO.

You can see it’s definitely not an international business like Shell or Apple or Google!

(Now, there may be some technical argument about whether IOs are covered by or are exempt from GDPR.  But let’s just assume that they’re exempt and that’s why they’re referred to in the transfer structure.)

And our second key point to note about transfers: an IO can be within the EEA and it’s still a transfer.

But you can see that transfers to IOs are pretty rare for the vast majority of organisations – particularly if you’re private sector, you’ll probably never deal with one.

So let’s look a bit more at what a transfer actually is, and let’s look at one major thing that’s included and a minor thing that isn’t but it’s still important to know.

So, what IS a transfer?

A transfer clearly happens when you literally give personal data to someone, physically or electronically who is outside the EEA or is an IO.

Making available

So our third key point and one of the most fundamental points about transfers – and it’s not always appreciated at all – is a transfer also happens when you simply make personal data available.

The UK ICO gives a good example: if you load personal data onto a UK server that’s then available through a website and you plan or anticipate the website can be accessed from outside the EEA, you should treat that as a transfer.

In more practical terms, say you’ve set up in-house or outsourced ‘follow the sun‘ support or ops teams, they’re probably say in the US, Europe, India, Hong Kong and they simply access your CRM or databases in the EU without downloading any data.  That’s still a transfer to the US, India, Hong Kong et cetera of any personal data they can access.

Transit

Now, our fourth key point is that transit is not transfer. So if personal data has moved from one EEA Member State to another but just transits outside the on its way there, that’s not a transfer.  The UK ICO gives a good example:

  • They talk about personal data moving from a controller in France to a controller in Ireland – both countries in the EEA – via a server in Australia.
  • There’s no intention that the personal data will be accessed or manipulated while it’s in Australia. It’s just transiting through.
  • Therefore, the movement is only to Ireland, so for GDPR it’s not a transfer.

Vocab

Now in common parlance ‘transfer‘ is when you give the data to somebody else – you transferred that data to someone.  And the UK ICO does use the word ‘transfer’ in that example above, but we’ve changed it to the word ‘move’ to make it clearer.

You can see we’ve got to be a bit careful with the word ‘transfer’, because in normal parlance, yes, transferring data from France to Ireland is transferring data to somebody else.  But in GDPR- speak, a ‘transfer’ is outside the EEA or to an international organisation.

Now, our fifth key point is about Brexit.

Brexit

As we saw in our blog Did Brexit Kill GDPR? and its sister video, until the end of 2020, the UK is treated as part of the EEA under the EU GDPR, so the GDPR applies here in the UK as it did before, and that also applies to transfers.

So for the purpose of transfers we’re deemed still, in the UK, to be within the EEA until the end of 2020.

But unless something happens beforehand, from 1 January 2021 the UK will be a third country under the EU GDPR.  Personal data sent to or accessed from the UK will be a transfer for EU GDPR.

And the UK will have its own UK GDPR with exactly the same transfer structure, but that’s much simpler to understand: under the UK GDPR it’s when personal data is being sent outside or accessed from outside the UK.

So there you are!  Transfers under GDPR and five key points to know.

Do ask for a demo of Keepabl’s award-winning SaaS solution, we’ve a great way to identify, track and manage your transfers.

Please do look at our other Privacy Kitchen videos, and please do use #privacykitchen to tell us the topics and questions you want covered.

Stay well in the meantime, and see you soon in Privacy Kitchen!