Below is a summary of the transfer mechanisms that can be relied upon to make a lawful transfer of UK, Swiss or EEA personal data to a country outside of the UK, Switzerland or the EEA.
Adequacy is granted when a recipient country is deemed to have data protection laws and practices similar to those of the sending country.
1. Adequacy Decisions
Restricted transfers can be made, without the need for any additional safeguards or measures to be put in place to protect the personal data, where personal data is sent to a country with an adequacy decision.
The European Commission has currently awarded Adequacy Decisions to the following countries:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay.
UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions.
EU-US Data Privacy Framework (DPF)
The European Commission agreed the DPF with the USA in July 2023 to permit restricted transfers of EEA personal data to from the EEA the USA. EEA personal data can be lawfully be transferred to organisations located in the USA that have been certified and meet the principles of the DPF.
Certification of any US entity can be checked via the DPF list.
UK Adequacy Decisions
As a result of Brexit the UK awarded UK adequacy decisions to permit the transfer of personal data from the UK to:
- the EEA; and
- to any countries which covered by an EU Adequacy Decision.
This allows personal data to flow freely between the UK, the EEA and any countries awarded an EU Adequacy Decision.
Since Brexit, the UK Government has been granted its own powers to enter into UK Adequacy Decisions with countries that are outside of the EEA – but these only cover data being transferred from the UK.
One such UK Adequacy Decision has been granted to South Korea.
Currently the UK government is in discussions with the following countries for their own UK Adequacy Decisions:
UK-US Data Bridge
The UK government agreed its own transfer mechanism with the USA, the UK-US Data Bridge in September 2023. This will permit restricted transfers of UK personal data from the UK to the USA from the 12th October 2023.
Referred to by US authorities as the UK Extension to the DPF, entities based in the USA can sign up to the ‘UK Extension’ when registering under the DPF.
Certification of any US entity under the UK-US Data Bridge can be checked via the DPF list.
Swiss-US Data Bridge
The Swiss Data Protection Authority is currently finalising the provisions of a parallel framework between Switzerland and the USA (The Swiss-US Data Privacy Framework). However, until the new Swiss-US Data Privacy Framework is finalized, Switzerland’s adequacy list will remain unchanged.
Pursuant to the new Swiss Data Protection Act of the 1st of September 2023 the Swiss Federal Council has authority to decide on the adequacy of states and it will be up to the Swiss Federal Council to determine whether the USA can be added to the list in due course.
2. Standard Contractual Clauses
EU Standard Contractual Clauses
In the absence of an EU Adequacy Decision, EU Standard Contractual Clauses (EU SCCs) can be used which the sender and the receiver of the personal data both sign up to. These contain mandatory contractual obligations designed to provide legal protection for personal data when transferred to a country that is not “adequate”.
UK Standard Contractual Clauses
In the absence of a UK Adequacy Decision, UK Standard Contractual Clauses (UK SCCs) can be used which the sender and the receiver of the personal data both sign up to. These contain mandatory contractual obligations designed to provide legal protection for personal data when transferred to a country that is not “adequate”.
Data Transfer Assessments
If a SaaS supplier or SaaS customer wishes to use EU SCCs or UK SCCs they must carry out a written data transfer assessment, (DTA) in order to determine whether personal data will be adequately protected. SCCs cannot be used unless such DTAs have been completed. In the EU the assessment is called a Transfer Impact Assessment, (TIA). In the UK, the assessment is called a Transfer Risk Assessment, (TRA).
3. Binding Corporate Rules (BCRs)
BCRs can be only used as a transfer mechanism for transfers of personal data between entities within a company group. Like SCCs, DTAs will need to be carried out where BCRs are relied upon.
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
To register for my newsletter click here