02) Do you use appropriate legal mechanisms for all international transfers of personal data?
Answer yes if you have processes in place to ensure that every cross-border transfer of personal data has the appropriate contractual / legal mechanisms in place, depending on your jurisdiction. For example, this could be an international data transfer agreement, or an adequacy decision. Please describe in the notes section which mechanism is used for which instances of data transfer.
Many countries apply specific protection laws to personal data and extend these to data transferred across territory borders. These often require legally binding contract clauses which define what data is transferred and how it is processed to maintain the protection and privacy requirements of individuals as defined in their country of origin.
There are different approaches to protecting personal information that is being transferred for processing. For example, European Union member states have passed the EU’s General Data Protection Regulation (GDPR) prohibiting the transfer of personal information to another jurisdiction unless the European Commission (EC) has determined that the other jurisdiction offers ‘adequate’ (near-equivalent to GDPR) protection for personal information. If the EC has not defined a decision of ‘adequacy’, then GDPR requires the controlling organisation to proactively protect data transfers and processing with contract clauses and administrative and technical controls which restrict and protect data processing.
Similarly, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to a third party, including a third party operating outside of Canada, for processing.
Data transfer legal requirements can apply to personal data:
- transferred within the organisation, for example from a regional office in France to the same organisation’s datacentre in the US.
- transferred between organisations, for example an organisation in France using a US-hosted service provider.
How to implement the control
You must ensure that for each case where personal data is transferred across territorial boundaries - within your organisation or between your organisation and another - that you have:
- reviewed the data privacy and protection legal requirements in the country of origin, and
- defined legal contract clauses - or have ensured that your service providers have defined terms of service clauses - which provide required legal protection of transferred data.
If required, a third party data protection consultancy or legal counsel can review your organisation’s data processing activities and either assure, or advise improvements to your contract legal compliance.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
