Q&As

Does a company transferring personal data to one of its US group companies or enabling access to their UK servers by their US group company need to put in place any solutions to permit the transfer?

read titleRead full title
Published on LexisPSL on 07/11/2017

The following Information Law Q&A provides comprehensive and up to date legal information covering:

  • Does a company transferring personal data to one of its US group companies or enabling access to their UK servers by their US group company need to put in place any solutions to permit the transfer?
  • The data export restriction
  • What is a transfer?
  • Exceptions to the data export restriction
  • Adequate safeguards
  • Data controller adequacy assessments
  • The General Data Protection Regulation

Does a company transferring personal data to one of its US group companies or enabling access to their UK servers by their US group company need to put in place any solutions to permit the transfer?

In this Q&A, we have focused on current UK law under the Data Protection Act 1998 (DPA 1998).

The data export restriction

Article 25 of Directive 95/46/EC (the Data Protection Directive) prohibits controllers in EU Member States:

  1. from transferring personal data to any territory outside the EEA

  2. unless an ‘adequate’ level of privacy protection is ensured for the data transferred

The Data Protection Directive is incorporated into UK law by the DPA 1998, which includes at its core eight data protection principles for handling personal information, see Practice Note: Data protection principles under the DPA 1998. The eighth and final of these data protection principles enshrines the above restriction as follows:

'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.'

What is a transfer?

To evaluate whether an activity is subject to Principle 8, it is first necessary to consider whether the activity actually includes transferring data.

Guidance from the Information Commissioner's Office (ICO) notes that a ‘transfer’ involves sending personal data to someone

Popular documents