There are no restrictions on transferring personal data within the EEA.  However, due to the global nature of SaaS or ASP agreements personal data often needs to be  transferred outside of the EEA, for example to an IT outsourcing provider in India, a subsidiary of your company in China or a data centre or software development centre in Vietnam.

Restrictions on Export of Data Outside of the EEA

Under the 8th principle of the Data Protection Act 1998 before any personal data may be exported to any country outside of the EEA, you must ensure that there are adequate levels of protection in place. The European Economic Area consists of the 27 EU member states plus Norway, Iceland and Liechtenstein. There are four ways in which adequate levels of protection can be achieved:

  • consent
  • equivalent protection/ safe harbor
  • use of the EU model contract clauses
  • binding corporate rules

Consent

The easiest method of compliance is to obtain specific consent from the data subject before the transfer takes place. If the data subject consents to the transfer, you will comply with the Data Protection Act. Consent is usually obtained by having a data subject agree to the transfer of its personal data outside of the EEA and full details about the transfer itself should be set out in your privacy policy.

Equivalent Protection and Safe Harbor

Alternatively, the transfer is permitted if the non-EEA country to which the personal data is being transferred has equivalent data protection legislation. Currently only Switzerland, Canada and Argentina are recognised as having adequate protection. Certain companies in the USA are also recognised under the safe harbor process, provided that the company to which the personal data is being transferred has an up to date safe harbor registration.

EU Model Clauses

The European Commission has issued its own model clauses to cover transfers of personal data outside of the EEA. If these model clauses  are used in the SaaS agreement with the data subject and the agreement with the third party IT outsourcer, data centre or software developer to whom the data is being transferred, there will be adequate protection. However, these clauses are not ideal due to the different legal responsibilities of the data processor and the data controller which still remain unclear in the situation where there is a sub-processor.

Also, from the 15th of May, the new model clauses should be used – which replace the previous version.

Binding Corporate Rules

These are designed to cover transfers of personal data within multi-national companies where they have subsidiaries based in many countries. These rules only permit the inter-company transfer of personal data and do not cover transfers to third parties such as IT outsourcing providers or data centres. To date very few companies have adopted binding corporate rules due to the expense and time it takes for the rules to be recognised within the EU.

Help

For assistance with transfers of personal data within or outside the EEA, SaaS, ASP, software on demand contract  or any other IT legal issues contact:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: