So, what is a transfer under GDPR? Well, we’ll answer that – and deal with Brexit – and set out the 5 Key Facts you need to know about ‘What is a transfer?’
And you can watch our FREE video: ‘What is a Transfer under GDPR? 5 Key Facts’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Well, like so many things, it isn’t explicitly defined, but it is implicitly – and circuitously – defined all the way through.
We’ll focus on the EU GDPR to start with as the rules are identical in the UK GDPR and we’ll deal with Brexit at the end, so stick with us.
Now, Recital 101 – believe it or not! – of GDPR defines transfer as well as anywhere else and tells us clearly why it matters. It says:
So, the first transfer and the second, et cetera.
We can immediately see that the whole idea of transfers is to make sure that personal data stays protected when it’s transferred outside the EU GDPR’s jurisdiction to either a third country or an international organisation, whether once, twice or more.
It makes sense when you think about it – you shouldn’t be able to just avoid GDPR’s rules and obligations just by exporting data outside the EEA for example.
So what is a ‘third country‘?
Well, this is pretty easy! The EU GDPR applies in the EU, that’s been extended to the EEA, and we’ve seen that the transfer system is designed to protect personal data when it leaves the GDPR’s direct protection.
So a third country is simply any country other than a Member State of the EEA – the European Economic Area.
Okay, what’s an international organisation or IO?
Well, happily, this is defined! And, as our first key point on transfers, this is definitely not as you’d expect.
An international organisation or IO for GDPR is most definitely not a typical multi-national corporation – it’s not Ford, Toyota or anyone like this.
It’s defined as:
Now, examples are always great and the European Data Protection Supervisor gives us these excellent examples of what IOs are:
You can see it’s definitely not an international business like Shell or Apple or Google!
(Now, there may be some technical argument about whether IOs are covered by or are exempt from GDPR. But let’s just assume that they’re exempt and that’s why they’re referred to in the transfer structure.)
And our second key point to note about transfers: an IO can be within the EEA and it’s still a transfer.
But you can see that transfers to IOs are pretty rare for the vast majority of organisations – particularly if you’re private sector, you’ll probably never deal with one.
So let’s look a bit more at what a transfer actually is, and let’s look at one major thing that’s included and a minor thing that isn’t but it’s still important to know.
A transfer clearly happens when you literally give personal data to someone, physically or electronically who is outside the EEA or is an IO.
So our third key point and one of the most fundamental points about transfers – and it’s not always appreciated at all – is a transfer also happens when you simply make personal data available.
The UK ICO gives a good example: if you load personal data onto a UK server that’s then available through a website and you plan or anticipate the website can be accessed from outside the EEA, you should treat that as a transfer.
In more practical terms, say you’ve set up in-house or outsourced ‘follow the sun‘ support or ops teams, they’re probably say in the US, Europe, India, Hong Kong and they simply access your CRM or databases in the EU without downloading any data. That’s still a transfer to the US, India, Hong Kong et cetera of any personal data they can access.
Now, our fourth key point is that transit is not transfer. So if personal data has moved from one EEA Member State to another but just transits outside the on its way there, that’s not a transfer. The UK ICO gives a good example:
Now in common parlance ‘transfer‘ is when you give the data to somebody else – you transferred that data to someone. And the UK ICO does use the word ‘transfer’ in that example above, but we’ve changed it to the word ‘move’ to make it clearer.
You can see we’ve got to be a bit careful with the word ‘transfer’, because in normal parlance, yes, transferring data from France to Ireland is transferring data to somebody else. But in GDPR- speak, a ‘transfer’ is outside the EEA or to an international organisation.
Now, our fifth key point is about Brexit.
As we saw in our blog Did Brexit Kill GDPR? and its sister video, until the end of 2020, the UK is treated as part of the EEA under the EU GDPR, so the GDPR applies here in the UK as it did before, and that also applies to transfers.
So for the purpose of transfers we’re deemed still, in the UK, to be within the EEA until the end of 2020.
But unless something happens beforehand, from 1 January 2021 the UK will be a third country under the EU GDPR. Personal data sent to or accessed from the UK will be a transfer for EU GDPR.
And the UK will have its own UK GDPR with exactly the same transfer structure, but that’s much simpler to understand: under the UK GDPR it’s when personal data is being sent outside or accessed from outside the UK.
So there you are! Transfers under GDPR and five key points to know.
Do ask for a demo of Keepabl’s award-winning SaaS solution, we’ve a great way to identify, track and manage your transfers.
Please do look at our other Privacy Kitchen videos, and please do use #privacykitchen to tell us the topics and questions you want covered.
Stay well in the meantime, and see you soon in Privacy Kitchen!
The difference between a controller and a processor under GDPR should be an easy topic, but it can even get Privacy professionals tied up in knots. Don’t worry if it’s…