Featured in JEP’s Expert Panel – 28th March 2018
A:
Very early into my conversations with clients about GDPR, the subject of data transfers always leads to interesting debate around the data controller’s responsibilities and what is realistically expected of them to demonstrate compliance.
The formal answer is to refer to A45 “Transfers on the basis of an adequacy decision” and A46 “Transfers subject to appropriate safeguards” of GDPR law and talk through the various options e.g. if transfers of EU citizens data is currently happening outside the EEA, then the preference would be to change to service providers located in the EEA or countries with “adequacy status” or make transfers under the approved standard model clause contracts or binding corporate rules contracts, if possible and if relevant.
The data controller or data processor is responsible for ensuring appropriate safeguards are in place, otherwise get the “explicit” consent from the data subject for this data transfer outside the EEA.
There are key provisions in place allowing transfers where it is required to perform a contract agreed with the data subject or where in the public interest or if in defence of legal claim or to protect the vital interests of the data subject or others.