Transfer of data
Can personal data be transferred to a country or territory outside the EEA?
There is a general prohibition on transfers of personal data outside of the EEA unless these transfers are subject to quite narrowly prescribed conditions and safeguards.
The University clearly works with many organisations in countries and territories which fall outside of this region, but this does not mean that the University cannot supply, or provide access to, personal data to organisations in those countries. It does, however, mean that researchers need to comply with the conditions for transferring personal data to such countries and territories.
Please note that if you move to another institution which is located outside the EEA, and the University has permitted you to take research data with you, this will count as a transfer of data.
Transfers of personal data to a country or territory outside the EEA may take place if one of the following conditions are complied with:
The European Commission considers the data protection laws in that country or territory ensures an adequate level of protection for data subjects.
To date, only the following have passed the test: Andorra, Argentina, Canada (for commercial organisations), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay.
In addition, a transfer to a US company that has been certified under the EU-US Privacy Shield Framework will be regarded as legal under the GDPR. The list of companies that are certified under the Privacy Shield can be searched on the Privacy Shield website.
Transfers may occur if the controller and processor have provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. This includes (most commonly) the use of standard contractual clauses which have been approved by the European Commission.
Researchers should seek advice from Research Services on all research-related agreements, including when seeking to legitimise transfers of personal data outside the EEA under standard contractual clauses, Privacy Shield or otherwise.