International Data Transfers
Please contact the Information and Data Compliance Team first before undertaking any International Data Transfers by completing the attached form and sending via email.
The GDPR imposes restrictions on the transfer of personal data outside the EEA. Currently the EEA countries are:
Austria | Belgium | Bulgaria | Czech Republic |
Cyprus | Denmark | Estonia | Finland |
France | Germany | Greece | Hungary |
Iceland | Ireland | Italy | Latvia |
Liechtenstein | Lithuania | Luxembourg | Malta |
Netherlands | Norway | Poland | Portugal |
Romania | Slovakia | Slovenia | Spain |
Sweden | UK |
Personal data may only be transferred outside the EEA in compliance with the following circumstances:
Adequacy decision by the Commission
Data transfers outside the EEA may be made where the European Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection. Currently, the following countries are considered as having adequate protection:
Andorra | Argentina | Canada * | Faroe Islands |
Guernsey | Israel | Isle of Man | Jersey |
New Zealand | Switzerland | Uruguay | The US † |
* (Commercial organisations only)
†(limited to the Privacy Shield framework)
Third Countries
All countries which do not fall within the above lists are considered non-adequate countries for data protection purposes and are known as third countries.
Additional adequate safeguards
Organisations are able to transfer personal data to third countries where the organisation receiving the personal data has provided additional adequate safeguards which act as data protection guarantees. The safeguards must be outlined in a legally binding instrument, such as a contract or a Memorandum of Understanding, between the transferring and recipient parties. They should clearly describe the data protection principles that have to be respected, in particular:
- data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer;
- data quality and proportionality;
- information of individuals concerned;
- security measures;
- possibility for the individuals involved to exercise their rights of access, rectification and opposition;
- restrictions on onward transfers by the data recipient; and
- effective supervision and enforcement mechanisms to ensure that the above-mentioned principles are respected.
Information to be provided to the data subject
A description of the details of the transfer, such as the categories of data, purposes, retention periods, detailed security measures, should be provided to the individuals (data subjects) concerned and explain how they can exercise their rights.
Derogations from the prohibition of transfers outside the EEA
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations.
Procedure
As noted above the University’s DPO and Information and Data Compliance Team should be consulted before any International Data Transfers occur by completing the attached form for further advice and email to GDPR@warwick.ac.uk.