Restricted transfers are a type of international data transfer to which special rules apply. SaaS suppliers and SaaS customers are responsible for complying with the relevant rules when making or permitting restricted transfers of personal data to their suppliers, customers, sub-processors, group companies and partners.
What is an international data transfer?
An international data transfer occurs when personal data is sent or transmitted from one country to another.
This includes:
- sending personal data to an entity located in another country; and
- making personal data available to an entity located in another country.
SaaS suppliers and SaaS customers should be aware that the storing or personal data in the UK/EEA i.e. in a data centre located in the UK, Switzerland or the EEA will not prevent a restricted transfer from taking place, unless the stored personal data cannot be accessed from, or sent to, an entity outside of the UK, Switzerland and the EEA.
What is a Restricted Transfer?
Examples of restricted transfers:
- Emailing electronic documents containing personal data to another country
i.e. using a third party email service - Sending electronic documents containing personal data to another country
i.e. using a CRM SaaS service - Emailing records containing personal data to another country
i.e. within a SaaS database - Allowing an entity based in another country access to documents or records containing personal data
i.e. via a third party hosting centre - Allowing another entity in the same corporate group, based in another country access to UK/EU employee data
i.e. for internal business purposes
Restricted Transfers from the EEA
The EU GDPR sets out the rules for making an international data transfer to an entity located outside the EEA. This is known as a “restricted transfer”.
In order for a restricted transfer to be lawful under the EU GDPR , additional safeguards must be in place.
Restricted Transfers from the UK
The UK GDPR sets out the rules for making an international data transfer to an entity located outside the UK. This is also known as a “restricted transfer”.
In order for a restricted transfer to be lawful under the UK GDPR, additional safeguards must be in place.
Who is responsible for a restricted transfer?
SaaS customers based in the UK, Switzerland or the EEA are responsible for making sure additional safeguards are in place before making restricted transfers of UK, Swiss or EEA personal data to their SaaS suppliers, group companies, suppliers or partners.
SaaS suppliers (processors) subject to the EU GDPR or the UK GDPR are responsible for making sure additional safeguards are in place before making restricted transfers of UK, Swiss or EEA personal data to their sub-processors, group companies, customers, suppliers or partners.
Transfer Mechanisms
SaaS suppliers and SaaS customers can only lawfully make restricted transfers of UK, Swiss or EEA personal data if they use a recognized transfer mechanism.
Currently these are:
- Adequacy, (EU Adequacy Decisions, DPF);
- EU Standard Contractual Clauses, (EU SCCs);
- UK Standard Contractual Clauses, (UK SCCs);
- Binding Corporate Rules, (BCRs)
If none of the above transfer mechanisms is used, no restricted transfer of personal data can be lawfully made.
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here