Transfer of data

Can personal data be transferred to a country or territory outside the EEA?

There is a general prohibition on transfers of personal data outside of the EEA unless these transfers are subject to quite narrowly prescribed conditions and safeguards.

The University clearly works with many organisations in countries and territories which fall outside of this region, but this does not mean that the University cannot supply, or provide access to, personal data to organisations in those countries. It does, however, mean that researchers need to comply with the conditions for transferring personal data to such countries and territories.

Please note that if you move to another institution which is located outside the EEA, and the University has permitted you to take research data with you, this will count as a transfer of data.

Transfers of personal data to a country or territory outside the EEA may take place if one of the following conditions are complied with:

Expand All

The European Commission considers the data protection laws in that country or territory ensures an adequate level of protection for data subjects.

To date, only the following have passed the test: Andorra, Argentina, Canada (for commercial organisations), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay.

In addition, a transfer to a US company that has been certified under the EU-US Privacy Shield Framework will be regarded as legal under the GDPR. The list of companies that are certified under the Privacy Shield can be searched on the Privacy Shield website.

Transfers may occur if the controller and processor have provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. This includes (most commonly) the use of standard contractual clauses which have been approved by the European Commission.

Researchers should seek advice from Research Services on all research-related agreements, including when seeking to legitimise transfers of personal data outside the EEA under standard contractual clauses, Privacy Shield or otherwise.

Cloud service providers

Researchers need to bear in mind that using international cloud-based services, eg Dropbox, may involve a transfer of personal data outside the EEA. Even if the service in question has signed up to the EU-US Privacy Shield (see above), it may not be appropriate to use such a service, since the terms and conditions tend to be one-sided, and are unlikely to be sufficient to enable the University to meet all its obligations under the GDPR.

If you sign up to a cloud service in your role as a member of staff, you may be binding the University, and not just yourself, to the cloud service's contractual terms. The risks will be greater where the personal data involved is confidential or sensitive. You therefore need to think carefully about whether you could use an alternative service that complies fully with the GDPR or whether you could use the service without sharing personal data.

Next