International Transfers of Personal Data

Summary

Occasionally there may be a need to transfer City personal data outside of the European Economic Area (EEA). For example, you may wish to process City personal data on a platform or server that is based in India.

If you wish to transfer personal data of individuals residing in the EEA, outside of the EEA, you must contact the Information Assurance Team (dataprotection@city.ac.uk) to obtain advice on how best to ensure that the transfer complies with data protection law, and to ensure that appropriate contractual safeguards are in place.

This applies whether you are transferring data directly from City, or whether a third party providing services to City is transferring the data.

Adequate data protection inside and outside of the EEA

Inside the EEA

There are currently no restrictions on the processing of data inside the EEA. However, at the end of the (Brexit) transition period after 31 December 2020, there may be restrictions for transfers from third parties in the EEA to the UK. This will depend on whether or not the UK is given an adequacy decision. We will continue to keep this section updated.

Outside of the EEA

DP law requires whenever we process personal data outside of the EEA, we can only do so if that country or territory has an adequate level of data protection for the rights and freedoms of data subjects in relation to the processing of such data. If you are transferring personal data outside of the EEA please contact the Information Assurance Team (dataprotection@city.ac.uk) to discuss whether the country is adequate and assist in making a decision as to whether the arrangements in place are adequate.

The ways in which an international transfer of City personal data outside of the EEA could be deemed acceptable is through one of the following:

• If there is a written contract in place that includes Standard Contractual Clauses (SCCs) approved by the European Commission;
• The company to whom the personal data is being transferred has Binding Corporate Rules (BCRs) approved by the European Commission;
• If an international transfer is to the US and the third party in the US is Privacy Shield certified;
• If the country that the data is being transferred to has an Adequacy Decision;
• With the explicit consent of each individual whose personal data is being transferred.

Standard Contractual Clauses (SCCs)

You are able to transfer personal data outside of the EEA, including to the US, if the transfer takes place with SCCs, which sets out certain EU safeguards.

The European Commission has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EEA.

It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.

• EU controller to non-EU or EEA controller (login required)
• EU controller to non-EU or EEA processor (login required)

The ICO has also issued clause-by-clause guidance on how SCCs work:

• Controller to controller template (login required)
• Controller to processor template (login required)
• Transferring to the US – Privacy Shield

US companies that host City personal data in the US will be deemed to have adequate privacy safeguards if they have registered with the EU-US Privacy Shield. The Privacy Shield imposes obligations on certified US companies to protect the personal data of Europeans.

Adequacy decisions

Countries that have an Adequacy Decision include:

• Switzerland
• Canada (with restrictions)
• Argentina
• Guernsey
• Jersey
• Isle of Man
• New Zealand
• Uruguay
• Israel
• Faroe Islands
• Andorra
• Japan

Transfers of personal data to City sites outside of the EEA

ICO Guidance suggests that a transfer by a company subject to the GDPR to a branch office that does not have separate legal personality to that company would not be a restricted transfer. However, it is currently unclear if the European Data Protection Board and supervisory authorities in other EU states share that interpretation.

Accordingly, transfers of personal data from City sites in the UK, will not necessarily be considered to be restricted if it is sent to other City sites around the world (e.g Dubai).

Who to Contact for Further questions?

Data Protection Representatives (‘DP Reps’) are your first port of call for any data protection queries you may have.

When you contact one of our DP reps, please ensure that you include the DP mailbox (dataprotection@city.ac.uk). You may also contact your relevant SIRO.